asn1: Fix undefined shift in OID parser

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=16618
2019-10-15 16:37:24 +02:00 · 2019-10-15 16:37:24 +02:00 · 1be013d08e
parent 630d6adf32
commit 1be013d08e
1 changed files with 6 additions and 0 deletions
--- a/src/libopensc/asn1.c
+++ b/src/libopensc/asn1.c
@ -28,6 +28,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>

 #include "internal.h"
 #include "asn1.h"
@ -816,6 +817,11 @@ sc_asn1_decode_object_id(const u8 *inbuf, size_t inlen, struct sc_object_id *id)
 		a = *p & 0x7F;
 		inlen--;
 		while (inlen && *p & 0x80) {
+			/* Limit the OID values to int size and do not overflow */
+			if (a > (INT_MAX>>7)) {
+				sc_init_oid(id);
+				return SC_ERROR_NOT_SUPPORTED;
+			}
 			p++;
 			a <<= 7;
 			a |= *p & 0x7F;