tcos: Prevent buffer underflow
Thanks oss-fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22995
This commit is contained in:
parent
d141b35596
commit
fa719b301f
|
@ -559,11 +559,14 @@ static int tcos_compute_signature(sc_card_t *card, const u8 * data, size_t datal
|
||||||
memcpy(sbuf, data, datalen);
|
memcpy(sbuf, data, datalen);
|
||||||
dlen=datalen;
|
dlen=datalen;
|
||||||
} else {
|
} else {
|
||||||
size_t keylen= tcos3 ? 256 : 128;
|
size_t keylen = tcos3 ? 256 : 128;
|
||||||
|
|
||||||
|
if (datalen > keylen) {
|
||||||
|
SC_FUNC_RETURN(card->ctx, SC_LOG_DEBUG_VERBOSE, SC_ERROR_INVALID_ARGUMENTS);
|
||||||
|
}
|
||||||
|
|
||||||
sc_format_apdu(card, &apdu, keylen>255 ? SC_APDU_CASE_4_EXT : SC_APDU_CASE_4_SHORT, 0x2A,0x80,0x86);
|
sc_format_apdu(card, &apdu, keylen>255 ? SC_APDU_CASE_4_EXT : SC_APDU_CASE_4_SHORT, 0x2A,0x80,0x86);
|
||||||
for(i=0; i<sizeof(sbuf);++i) sbuf[i]=0xff;
|
for(i=0; i<sizeof(sbuf);++i) sbuf[i]=0xff;
|
||||||
if (keylen < datalen)
|
|
||||||
return SC_ERROR_INVALID_ARGUMENTS;
|
|
||||||
sbuf[0]=0x02; sbuf[1]=0x00; sbuf[2]=0x01; sbuf[keylen-datalen]=0x00;
|
sbuf[0]=0x02; sbuf[1]=0x00; sbuf[2]=0x01; sbuf[keylen-datalen]=0x00;
|
||||||
memcpy(sbuf+keylen-datalen+1, data, datalen);
|
memcpy(sbuf+keylen-datalen+1, data, datalen);
|
||||||
dlen=keylen+1;
|
dlen=keylen+1;
|
||||||
|
|
Loading…
Reference in New Issue