diff options
Diffstat (limited to 'lib/asn1_decoder.c')
| -rw-r--r-- | lib/asn1_decoder.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/lib/asn1_decoder.c b/lib/asn1_decoder.c index 0bd8a611eb83..1ef0cec38d78 100644 --- a/lib/asn1_decoder.c +++ b/lib/asn1_decoder.c | |||
| @@ -228,7 +228,7 @@ next_op: | |||
| 228 | hdr = 2; | 228 | hdr = 2; |
| 229 | 229 | ||
| 230 | /* Extract a tag from the data */ | 230 | /* Extract a tag from the data */ |
| 231 | if (unlikely(dp >= datalen - 1)) | 231 | if (unlikely(datalen - dp < 2)) |
| 232 | goto data_overrun_error; | 232 | goto data_overrun_error; |
| 233 | tag = data[dp++]; | 233 | tag = data[dp++]; |
| 234 | if (unlikely((tag & 0x1f) == ASN1_LONG_TAG)) | 234 | if (unlikely((tag & 0x1f) == ASN1_LONG_TAG)) |
| @@ -274,7 +274,7 @@ next_op: | |||
| 274 | int n = len - 0x80; | 274 | int n = len - 0x80; |
| 275 | if (unlikely(n > 2)) | 275 | if (unlikely(n > 2)) |
| 276 | goto length_too_long; | 276 | goto length_too_long; |
| 277 | if (unlikely(dp >= datalen - n)) | 277 | if (unlikely(n > datalen - dp)) |
| 278 | goto data_overrun_error; | 278 | goto data_overrun_error; |
| 279 | hdr += n; | 279 | hdr += n; |
| 280 | for (len = 0; n > 0; n--) { | 280 | for (len = 0; n > 0; n--) { |
| @@ -284,6 +284,9 @@ next_op: | |||
| 284 | if (unlikely(len > datalen - dp)) | 284 | if (unlikely(len > datalen - dp)) |
| 285 | goto data_overrun_error; | 285 | goto data_overrun_error; |
| 286 | } | 286 | } |
| 287 | } else { | ||
| 288 | if (unlikely(len > datalen - dp)) | ||
| 289 | goto data_overrun_error; | ||
| 287 | } | 290 | } |
| 288 | 291 | ||
| 289 | if (flags & FLAG_CONS) { | 292 | if (flags & FLAG_CONS) { |