35 lines
999 B
Diff
35 lines
999 B
Diff
From c300253181cfc591cbcae9251eda5296ed29591b Mon Sep 17 00:00:00 2001
|
|
From: Werner Koch <wk@gnupg.org>
|
|
Date: Fri, 7 Oct 2022 14:12:33 +0200
|
|
Subject: [PATCH] common: Protect against a theoretical integer overflow in
|
|
tlv.c
|
|
|
|
* common/tlv.c (parse_ber_header): Protect agains integer overflow.
|
|
--
|
|
|
|
Although there is no concrete case where we use the (nhdr + length),
|
|
it is better to protect against this already here.
|
|
---
|
|
common/tlv.c | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/common/tlv.c b/common/tlv.c
|
|
index abef83a37..9618d04cb 100644
|
|
--- a/common/tlv.c
|
|
+++ b/common/tlv.c
|
|
@@ -222,6 +222,11 @@ parse_ber_header (unsigned char const **buffer, size_t *size,
|
|
*r_length = len;
|
|
}
|
|
|
|
+ if (*r_length > *r_nhdr && (*r_nhdr + *r_length) < *r_length)
|
|
+ {
|
|
+ return gpg_err_make (default_errsource, GPG_ERR_EOVERFLOW);
|
|
+ }
|
|
+
|
|
/* Without this kludge some example certs can't be parsed. */
|
|
if (*r_class == CLASS_UNIVERSAL && !*r_tag)
|
|
*r_length = 0;
|
|
--
|
|
2.27.0
|
|
|