asn1_decode_entry() allocates (objlen - 1) bytes for SC_ASN1_UTF8STRING
types with SC_ASN1_ALLOC flag, then calls the sc_asn1_decode_utf8string() function which then fails with BUFFER TOO SMALL cause it wants to end the string with an extra NULL. allocation size was supposed to be objlen + 1. Patch by Gürer Özen git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@3225 c6295689-39f2-0310-b995-f0e70906c6a9
This commit is contained in:
parent
b757ff1719
commit
d59917cd21
@ -1054,15 +1054,18 @@ static int asn1_decode_entry(sc_context_t *ctx,struct sc_asn1_entry *entry,
|
||||
assert(len != NULL);
|
||||
if (entry->flags & SC_ASN1_ALLOC) {
|
||||
u8 **buf = (u8 **) parm;
|
||||
*buf = (u8 *) malloc(objlen-1);
|
||||
*buf = (u8 *) malloc(objlen+1);
|
||||
if (*buf == NULL) {
|
||||
r = SC_ERROR_OUT_OF_MEMORY;
|
||||
break;
|
||||
}
|
||||
*len = objlen-1;
|
||||
*len = objlen+1;
|
||||
parm = *buf;
|
||||
}
|
||||
r = sc_asn1_decode_utf8string(obj, objlen, (u8 *) parm, len);
|
||||
if (entry->flags & SC_ASN1_ALLOC) {
|
||||
*len -= 1;
|
||||
}
|
||||
}
|
||||
break;
|
||||
case SC_ASN1_PATH:
|
||||
|
Loading…
Reference in New Issue
Block a user