cardos: Correctly calculate the left bytes to avoid buffer overrun
Thanks oss-fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912
This commit is contained in:
parent
17d8980cde
commit
1252aca9f1
|
@ -159,7 +159,7 @@ static int cardos_have_2048bit_package(sc_card_t *card)
|
||||||
sc_apdu_t apdu;
|
sc_apdu_t apdu;
|
||||||
u8 rbuf[SC_MAX_APDU_BUFFER_SIZE];
|
u8 rbuf[SC_MAX_APDU_BUFFER_SIZE];
|
||||||
int r;
|
int r;
|
||||||
const u8 *p = rbuf, *q;
|
const u8 *p = rbuf, *q, *pp;
|
||||||
size_t len, tlen = 0, ilen = 0;
|
size_t len, tlen = 0, ilen = 0;
|
||||||
|
|
||||||
sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
|
sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
|
||||||
|
@ -175,10 +175,10 @@ static int cardos_have_2048bit_package(sc_card_t *card)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
while (len != 0) {
|
while (len != 0) {
|
||||||
p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
|
pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
|
||||||
if (p == NULL)
|
if (pp == NULL)
|
||||||
return 0;
|
return 0;
|
||||||
q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
|
q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
|
||||||
if (q == NULL || ilen != 4)
|
if (q == NULL || ilen != 4)
|
||||||
return 0;
|
return 0;
|
||||||
if (q[0] == 0x1c)
|
if (q[0] == 0x1c)
|
||||||
|
|
Loading…
Reference in New Issue