From 410d3dd3c72d7c0909619af078785bac24097f96 Mon Sep 17 00:00:00 2001
From: Andres AG <andres.amayagarcia@arm.com>
Date: Mon, 26 Sep 2016 09:52:41 +0100
Subject: [PATCH] Fix 1 byte overread in mbedtls_asn1_get_int()

---
 ChangeLog           | 2 ++
 library/asn1parse.c | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 641ce1635..bde417784 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -31,6 +31,8 @@ Bugfix
      a contribution from Tobias Tangemann. #541
    * Fixed cert_app sample program for debug output and for use when no root
      certificates are provided.
+   * Fix conditional statement that would cause a 1 byte overread in
+     mbedtls_asn1_get_int(). Found and fixed by Guido Vranken.
    * Fixed pthread implementation to avoid unintended double initialisations
      and double frees. (found by Niklas Amnebratt)
    * Fixed the sample applications gen_key.c, cert_req.c and cert_write.c for
diff --git a/library/asn1parse.c b/library/asn1parse.c
index ffa2f5299..4dd65c03c 100644
--- a/library/asn1parse.c
+++ b/library/asn1parse.c
@@ -153,7 +153,7 @@ int mbedtls_asn1_get_int( unsigned char **p,
     if( ( ret = mbedtls_asn1_get_tag( p, end, &len, MBEDTLS_ASN1_INTEGER ) ) != 0 )
         return( ret );
 
-    if( len > sizeof( int ) || ( **p & 0x80 ) != 0 )
+    if( len == 0 || len > sizeof( int ) || ( **p & 0x80 ) != 0 )
         return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
 
     *val = 0;