From e6848b6d88ed3c047a8975705cb032ede5442418 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 4 Jun 2020 11:08:01 +0200
Subject: [PATCH] tcos: Yet anoter buffer underflow as previous

---
 src/libopensc/card-tcos.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/libopensc/card-tcos.c b/src/libopensc/card-tcos.c
index 85e663ac..26bb8045 100644
--- a/src/libopensc/card-tcos.c
+++ b/src/libopensc/card-tcos.c
@@ -580,7 +580,12 @@ static int tcos_compute_signature(sc_card_t *card, const u8 * data, size_t datal
 	r = sc_transmit_apdu(card, &apdu);
 	LOG_TEST_RET(card->ctx, r, "APDU transmit failed");
 	if (tcos3 && apdu.p1==0x80 && apdu.sw1==0x6A && apdu.sw2==0x87) {
-		int keylen=128;
+		size_t keylen = 128;
+
+		if (datalen > keylen) {
+			SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_INVALID_ARGUMENTS);
+		}
+
 		sc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, 0x2A,0x80,0x86);
 		for(i=0; i<sizeof(sbuf);++i) sbuf[i]=0xff;
 		sbuf[0]=0x02; sbuf[1]=0x00; sbuf[2]=0x01; sbuf[keylen-datalen]=0x00;