cardos: Correctly calculate the left bytes to avoid buffer overrun
Thanks oss-fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912
This commit is contained in:
parent
17d8980cde
commit
1252aca9f1
@ -159,7 +159,7 @@ static int cardos_have_2048bit_package(sc_card_t *card)
|
||||
sc_apdu_t apdu;
|
||||
u8 rbuf[SC_MAX_APDU_BUFFER_SIZE];
|
||||
int r;
|
||||
const u8 *p = rbuf, *q;
|
||||
const u8 *p = rbuf, *q, *pp;
|
||||
size_t len, tlen = 0, ilen = 0;
|
||||
|
||||
sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
|
||||
@ -175,10 +175,10 @@ static int cardos_have_2048bit_package(sc_card_t *card)
|
||||
return 0;
|
||||
|
||||
while (len != 0) {
|
||||
p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
|
||||
if (p == NULL)
|
||||
pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
|
||||
if (pp == NULL)
|
||||
return 0;
|
||||
q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
|
||||
q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
|
||||
if (q == NULL || ilen != 4)
|
||||
return 0;
|
||||
if (q[0] == 0x1c)
|
||||
|
Loading…
Reference in New Issue
Block a user