Fix integer overflow with an input buffer larger than INT_MAX

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-03-29 13:20:21 +00:00 · 2023-09-21 16:50:40 +02:00 · 2023-09-21 16:50:40 +02:00 · 7077781af5
commit 7077781af5
parent aa01a038b5
1 changed files with 7 additions and 5 deletions
--- a/library/x509_create.c
+++ b/library/x509_create.c
@ -208,7 +208,7 @@ static int parse_attribute_value_string(const char *s,
 *                  contains a null byte.
 */
 static int parse_attribute_value_hex_der_encoded(const char *s,
-                                                 int len,
+                                                 size_t len,
                                                 unsigned char *data,
                                                 size_t *data_len,
                                                 int *tag)
@ -308,10 +308,12 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam
                mbedtls_free(oid.p);
                return MBEDTLS_ERR_X509_INVALID_NAME;
            } else if (*s == '#') {
-                if ((parse_ret =
-                         parse_attribute_value_hex_der_encoded(s + 1, (int) (c - s - 1),
-                                                               data, &data_len,
-                                                               &tag)) != 0) {
+                /* We know that c >= s (loop invariant) and c != s (in this
+                 * else branch), hence c - s - 1 >= 0. */
+                parse_ret = parse_attribute_value_hex_der_encoded(
+                    s + 1, c - s - 1,
+                    data, &data_len, &tag);
+                if (parse_ret != 0) {
                    mbedtls_free(oid.p);
                    return MBEDTLS_ERR_X509_INVALID_NAME;
                }