From 0a171887100866f611f97fe02718f9b6eedc5554 Mon Sep 17 00:00:00 2001
From: Frank Morgner <frankmorgner@gmail.com>
Date: Sun, 24 May 2020 23:45:38 +0200
Subject: [PATCH] fixed out of bounds read

fixes https://oss-fuzz.com/testcase-detail/5769032858075136
---
 src/libopensc/card-coolkey.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/libopensc/card-coolkey.c b/src/libopensc/card-coolkey.c
index c99ef429..ca587cc5 100644
--- a/src/libopensc/card-coolkey.c
+++ b/src/libopensc/card-coolkey.c
@@ -1768,6 +1768,10 @@ static int coolkey_rsa_op(sc_card_t *card,
 
 	} else {
 		size_t out_length = bebytes2ushort(buf);
+		if (out_length > sizeof buf - 2) {
+			r = SC_ERROR_WRONG_LENGTH;
+			goto done;
+		}
 		out_length = MIN(out_length, max_out_len);
 		memcpy(out, buf+2, out_length);
 		r = out_length;