catch not enough bytes in input buffer case

9 years ago · ad7268e0d7
parent 482fb6cba4
commit ad7268e0d7
2 changed files with 2 additions and 0 deletions
--- a/scan/scan_asn1derlength.c
+++ b/scan/scan_asn1derlength.c
@ -14,6 +14,7 @@ size_t scan_asn1derlengthvalue(const char* src,size_t len,unsigned long long* va
  l=(unsigned char)src[1];
  if (l==0) return 0;	/* not minimally encoded: 0x81 0x00 instead of 0x00 */
  if (c>sizeof(l)) return 0;	/* too many bytes, does not fit into target integer type */
+  if (c+1>len) return 0;	/* not enough data in input buffer */
  for (i=2; i<=c; ++i)
    l=l*256+(unsigned char)src[i];
  if (l<0x7f) return 0;	/* not minimally encoded: 0x81 0x70 instead of 0x70 */
--- a/test/marshal.c
+++ b/test/marshal.c
@ -143,6 +143,7 @@ int main() {

  ull=-1; assert(scan_asn1derlength("\x00_",2,&ull)==1 && ull==0);
  ull=-1; assert(scan_asn1derlengthvalue("\x81\xc2_",3,&ull)==2 && ull==0xc2);
+  ull=-1; assert(scan_asn1derlengthvalue("\x82\x12\x34_",2,&ull)==0 && ull==-1);
  ull=-1; assert(scan_asn1derlengthvalue("\x82\x12\x34_",4,&ull)==3 && ull==0x1234);
  ull=-1; assert(scan_asn1derlengthvalue("\x82\x00\x34_",4,&ull)==0 && ull==-1);	// non-minimal encoding
  ull=-1; assert(scan_asn1derlengthvalue("\x81\x12_",3,&ull)==0 && ull==-1);	// non-minimal encoding