avoid out of bounds read
This commit is contained in:
parent
03c5280626
commit
6184c1fbab
|
@ -898,7 +898,7 @@ static int piv_read_obj_from_file(sc_card_t * card, char * filename,
|
||||||
goto err;
|
goto err;
|
||||||
}
|
}
|
||||||
memcpy(*buf, tagbuf, len); /* copy first or only part */
|
memcpy(*buf, tagbuf, len); /* copy first or only part */
|
||||||
if (rbuflen > len) {
|
if (rbuflen > len + sizeof(tagbuf)) {
|
||||||
len = read(f, *buf + sizeof(tagbuf), rbuflen - sizeof(tagbuf)); /* read rest */
|
len = read(f, *buf + sizeof(tagbuf), rbuflen - sizeof(tagbuf)); /* read rest */
|
||||||
if (len != rbuflen - sizeof(tagbuf)) {
|
if (len != rbuflen - sizeof(tagbuf)) {
|
||||||
r = SC_ERROR_INVALID_ASN1_OBJECT;
|
r = SC_ERROR_INVALID_ASN1_OBJECT;
|
||||||
|
|
|
@ -617,6 +617,8 @@ int msc_extract_rsa_public_key(sc_card_t *card,
|
||||||
if(!*modulus) SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_OUT_OF_MEMORY);
|
if(!*modulus) SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_NORMAL, SC_ERROR_OUT_OF_MEMORY);
|
||||||
memcpy(*modulus, buffer, *modLength);
|
memcpy(*modulus, buffer, *modLength);
|
||||||
*expLength = (buffer[*modLength] << 8) | buffer[*modLength + 1];
|
*expLength = (buffer[*modLength] << 8) | buffer[*modLength + 1];
|
||||||
|
if (*expLength > sizeof buffer)
|
||||||
|
return SC_ERROR_OUT_OF_MEMORY;
|
||||||
r = msc_read_object(card, inputId, fileLocation, buffer, *expLength);
|
r = msc_read_object(card, inputId, fileLocation, buffer, *expLength);
|
||||||
if(r < 0) {
|
if(r < 0) {
|
||||||
free(*modulus); *modulus = NULL;
|
free(*modulus); *modulus = NULL;
|
||||||
|
|
Loading…
Reference in New Issue