mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-03-29 13:20:21 +00:00
Fix integer overflow with an input buffer larger than INT_MAX
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
parent
aa01a038b5
commit
7077781af5
@ -208,7 +208,7 @@ static int parse_attribute_value_string(const char *s,
|
||||
* contains a null byte.
|
||||
*/
|
||||
static int parse_attribute_value_hex_der_encoded(const char *s,
|
||||
int len,
|
||||
size_t len,
|
||||
unsigned char *data,
|
||||
size_t *data_len,
|
||||
int *tag)
|
||||
@ -308,10 +308,12 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam
|
||||
mbedtls_free(oid.p);
|
||||
return MBEDTLS_ERR_X509_INVALID_NAME;
|
||||
} else if (*s == '#') {
|
||||
if ((parse_ret =
|
||||
parse_attribute_value_hex_der_encoded(s + 1, (int) (c - s - 1),
|
||||
data, &data_len,
|
||||
&tag)) != 0) {
|
||||
/* We know that c >= s (loop invariant) and c != s (in this
|
||||
* else branch), hence c - s - 1 >= 0. */
|
||||
parse_ret = parse_attribute_value_hex_der_encoded(
|
||||
s + 1, c - s - 1,
|
||||
data, &data_len, &tag);
|
||||
if (parse_ret != 0) {
|
||||
mbedtls_free(oid.p);
|
||||
return MBEDTLS_ERR_X509_INVALID_NAME;
|
||||
}
|
||||
|
Loading…
x
Reference in New Issue
Block a user