mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-24 16:35:38 +00:00
Fix potential buffer overflow in asn1write
This commit is contained in:
parent
9dc66f4b2f
commit
0d66bb959f
|
@ -9,6 +9,10 @@ Security
|
|||
* Fix potential heap corruption on Windows when
|
||||
mbedtls_x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
|
||||
triggered remotely. Found by Guido Vranken, Interlworks.
|
||||
* Fix potential buffer overflow in some asn1_write_xxx() functions.
|
||||
Cannot be triggered remotely unless you create X.509 certificates based
|
||||
on untrusted input or write keys of untrusted origin. Found by Guido
|
||||
Vranken, Interlworks.
|
||||
* The X509 max_pathlen constraint was not enforced on intermediate
|
||||
certificates. Found by Nicholas Wilson, fix and tests provided by
|
||||
Janos Follath. #280 and #319
|
||||
|
|
|
@ -87,7 +87,7 @@ int mbedtls_asn1_write_raw_buffer( unsigned char **p, unsigned char *start,
|
|||
{
|
||||
size_t len = 0;
|
||||
|
||||
if( *p - start < (int) size )
|
||||
if( *p < start || (size_t)( *p - start ) < size )
|
||||
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
|
||||
|
||||
len = size;
|
||||
|
@ -107,7 +107,7 @@ int mbedtls_asn1_write_mpi( unsigned char **p, unsigned char *start, const mbedt
|
|||
//
|
||||
len = mbedtls_mpi_size( X );
|
||||
|
||||
if( *p - start < (int) len )
|
||||
if( *p < start || (size_t)( *p - start ) < len )
|
||||
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
|
||||
|
||||
(*p) -= len;
|
||||
|
@ -270,7 +270,7 @@ int mbedtls_asn1_write_bitstring( unsigned char **p, unsigned char *start,
|
|||
|
||||
// Calculate byte length
|
||||
//
|
||||
if( *p - start < (int) size + 1 )
|
||||
if( *p < start || (size_t)( *p - start ) < size + 1 )
|
||||
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
|
||||
|
||||
len = size + 1;
|
||||
|
|
Loading…
Reference in a new issue