asn1: Reject integers with bogus zero/non-zero bytes on left

2019-11-04 17:28:31 +01:00 · 2019-11-04 17:28:31 +01:00 · c449aa4430
parent d3e9b55223
commit c449aa4430
1 changed files with 7 additions and 0 deletions
--- a/src/libopensc/asn1.c
+++ b/src/libopensc/asn1.c
@ -725,9 +725,16 @@ int sc_asn1_decode_integer(const u8 * inbuf, size_t inlen, int *out)
 		return SC_ERROR_NOT_SUPPORTED;
 	}
 	if (inbuf[0] & 0x80) {
+		if (inlen > 1 && inbuf[0] == 0xff && (inbuf[1] & 0x80)) {
+			return SC_ERROR_INVALID_ASN1_OBJECT;
+		}
 		is_negative = 1;
 		a |= 0xff^(*inbuf++);
 		i = 1;
+	} else {
+		if (inlen > 1 && inbuf[0] == 0x00 && (inbuf[1] & 0x80) == 0) {
+			return SC_ERROR_INVALID_ASN1_OBJECT;
+		}
 	}
 	for (; i < inlen; i++) {
 		if (a > (INT_MAX >> 8) || a < (INT_MIN + (1<<8))) {