mbedtls_asn1_get_int: fix int overflow

Fix a signed int overflow in mbedtls_asn1_get_int() for numbers
between INT_MAX+1 and UINT_MAX (typically 0x80000000..0xffffffff).
This was undefined behavior which in practice would typically have
resulted in an incorrect value, but which may plausibly also have
caused the postcondition (*p == initial<*p> + len) to be violated.

Credit to OSS-Fuzz.
This commit is contained in:
Gilles Peskine 2019-10-10 19:29:27 +02:00
parent 9fd9794d10
commit 37570e8152

View File

@ -167,6 +167,8 @@ int mbedtls_asn1_get_int( unsigned char **p,
* the int type has no padding bit. */ * the int type has no padding bit. */
if( len > sizeof( int ) ) if( len > sizeof( int ) )
return( MBEDTLS_ERR_ASN1_INVALID_LENGTH ); return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
if( len == sizeof( int ) && ( **p & 0x80 ) != 0 )
return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
*val = 0; *val = 0;
while( len-- > 0 ) while( len-- > 0 )