From 37570e81528d3a1d7354ece12dfb972e5f576e39 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 10 Oct 2019 19:29:27 +0200 Subject: [PATCH] mbedtls_asn1_get_int: fix int overflow Fix a signed int overflow in mbedtls_asn1_get_int() for numbers between INT_MAX+1 and UINT_MAX (typically 0x80000000..0xffffffff). This was undefined behavior which in practice would typically have resulted in an incorrect value, but which may plausibly also have caused the postcondition (*p == initial<*p> + len) to be violated. Credit to OSS-Fuzz. --- library/asn1parse.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/asn1parse.c b/library/asn1parse.c index 4f9d6aef3..412259e35 100644 --- a/library/asn1parse.c +++ b/library/asn1parse.c @@ -167,6 +167,8 @@ int mbedtls_asn1_get_int( unsigned char **p, * the int type has no padding bit. */ if( len > sizeof( int ) ) return( MBEDTLS_ERR_ASN1_INVALID_LENGTH ); + if( len == sizeof( int ) && ( **p & 0x80 ) != 0 ) + return( MBEDTLS_ERR_ASN1_INVALID_LENGTH ); *val = 0; while( len-- > 0 )