From 1252aca9f10771ef5ba8405e73cf2da50827958f Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 4 Feb 2021 13:11:01 +0100
Subject: [PATCH] cardos: Correctly calculate the left bytes to avoid buffer
 overrun

Thanks oss-fuzz

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912
---
 src/libopensc/card-cardos.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c
index 06dd3e33..2d50b8c1 100644
--- a/src/libopensc/card-cardos.c
+++ b/src/libopensc/card-cardos.c
@@ -159,7 +159,7 @@ static int cardos_have_2048bit_package(sc_card_t *card)
 	sc_apdu_t apdu;
         u8        rbuf[SC_MAX_APDU_BUFFER_SIZE];
         int       r;
-	const u8  *p = rbuf, *q;
+	const u8  *p = rbuf, *q, *pp;
 	size_t    len, tlen = 0, ilen = 0;
 
 	sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
@@ -175,10 +175,10 @@ static int cardos_have_2048bit_package(sc_card_t *card)
 		return 0;
 
 	while (len != 0) {
-		p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
-		if (p == NULL)
+		pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
+		if (pp == NULL)
 			return 0;
-		q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
+		q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
 		if (q == NULL || ilen != 4)
 			return 0;
 		if (q[0] == 0x1c)