From 64f65e84bc354462cd807d1d9ce82d1381a46643 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 10 Apr 2015 17:23:05 +0200 Subject: [PATCH] Fix potential unintended sign extension Backport of 6fdc4cae from the 1.3 branch --- ChangeLog | 4 ++++ library/asn1parse.c | 8 +++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index c6befa96f..7ee4050a5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,10 @@ Security * Fix potential invalid memory read in the server, that allows a client to crash it remotely (found by Caj Larsson). +Bugfix + * Fix potential unintended sign extension in asn1_get_len() on 64-bit + platforms (found with Coverity Scan). + = Version 1.2.13 released 2015-02-16 Note: Although PolarSSL has been renamed to mbed TLS, no changes reflecting this will be made in the 1.2 branch at this point. diff --git a/library/asn1parse.c b/library/asn1parse.c index 928924ff5..636ab605c 100644 --- a/library/asn1parse.c +++ b/library/asn1parse.c @@ -62,7 +62,7 @@ int asn1_get_len( unsigned char **p, if( ( end - *p ) < 3 ) return( POLARSSL_ERR_ASN1_OUT_OF_DATA ); - *len = ( (*p)[1] << 8 ) | (*p)[2]; + *len = ( (size_t)(*p)[1] << 8 ) | (*p)[2]; (*p) += 3; break; @@ -70,7 +70,8 @@ int asn1_get_len( unsigned char **p, if( ( end - *p ) < 4 ) return( POLARSSL_ERR_ASN1_OUT_OF_DATA ); - *len = ( (*p)[1] << 16 ) | ( (*p)[2] << 8 ) | (*p)[3]; + *len = ( (size_t)(*p)[1] << 16 ) | + ( (size_t)(*p)[2] << 8 ) | (*p)[3]; (*p) += 4; break; @@ -78,7 +79,8 @@ int asn1_get_len( unsigned char **p, if( ( end - *p ) < 5 ) return( POLARSSL_ERR_ASN1_OUT_OF_DATA ); - *len = ( (*p)[1] << 24 ) | ( (*p)[2] << 16 ) | ( (*p)[3] << 8 ) | (*p)[4]; + *len = ( (size_t)(*p)[1] << 24 ) | ( (size_t)(*p)[2] << 16 ) | + ( (size_t)(*p)[3] << 8 ) | (*p)[4]; (*p) += 5; break;