mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-30 04:54:21 +01:00
mbedtls_asn1_get_int: fix int overflow
Fix a signed int overflow in mbedtls_asn1_get_int() for numbers between INT_MAX+1 and UINT_MAX (typically 0x80000000..0xffffffff). This was undefined behavior which in practice would typically have resulted in an incorrect value, but which may plausibly also have caused the postcondition (*p == initial<*p> + len) to be violated. Credit to OSS-Fuzz.
This commit is contained in:
parent
9fd9794d10
commit
37570e8152
@ -167,6 +167,8 @@ int mbedtls_asn1_get_int( unsigned char **p,
|
|||||||
* the int type has no padding bit. */
|
* the int type has no padding bit. */
|
||||||
if( len > sizeof( int ) )
|
if( len > sizeof( int ) )
|
||||||
return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
|
return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
|
||||||
|
if( len == sizeof( int ) && ( **p & 0x80 ) != 0 )
|
||||||
|
return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
|
||||||
|
|
||||||
*val = 0;
|
*val = 0;
|
||||||
while( len-- > 0 )
|
while( len-- > 0 )
|
||||||
|
Loading…
Reference in New Issue
Block a user