fixed out of bounds access of ASN.1 Bitstring
Credit to OSS-Fuzz
This commit is contained in:
parent
2bfd022180
commit
412a6142c2
|
@ -570,16 +570,20 @@ static int decode_bit_string(const u8 * inbuf, size_t inlen, void *outbuf,
|
||||||
{
|
{
|
||||||
const u8 *in = inbuf;
|
const u8 *in = inbuf;
|
||||||
u8 *out = (u8 *) outbuf;
|
u8 *out = (u8 *) outbuf;
|
||||||
int zero_bits = *in & 0x07;
|
|
||||||
size_t octets_left = inlen - 1;
|
|
||||||
int i, count = 0;
|
int i, count = 0;
|
||||||
|
int zero_bits;
|
||||||
|
size_t octets_left;
|
||||||
|
|
||||||
memset(outbuf, 0, outlen);
|
|
||||||
in++;
|
|
||||||
if (outlen < octets_left)
|
if (outlen < octets_left)
|
||||||
return SC_ERROR_BUFFER_TOO_SMALL;
|
return SC_ERROR_BUFFER_TOO_SMALL;
|
||||||
if (inlen < 1)
|
if (inlen < 1)
|
||||||
return SC_ERROR_INVALID_ASN1_OBJECT;
|
return SC_ERROR_INVALID_ASN1_OBJECT;
|
||||||
|
|
||||||
|
zero_bits = *in & 0x07;
|
||||||
|
octets_left = inlen - 1;
|
||||||
|
in++;
|
||||||
|
memset(outbuf, 0, outlen);
|
||||||
|
|
||||||
while (octets_left) {
|
while (octets_left) {
|
||||||
/* 1st octet of input: ABCDEFGH, where A is the MSB */
|
/* 1st octet of input: ABCDEFGH, where A is the MSB */
|
||||||
/* 1st octet of output: HGFEDCBA, where A is the LSB */
|
/* 1st octet of output: HGFEDCBA, where A is the LSB */
|
||||||
|
|
Loading…
Reference in New Issue