From 5388eea449a132362bdd4e89ec30c7e1bb51aeee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg2@elzevir.fr>
Date: Tue, 27 Oct 2015 11:39:32 +0100
Subject: [PATCH] Fix potential buffer overflow in asn1write

Ref: IOTSSL-519
---
 ChangeLog           | 4 ++++
 library/asn1write.c | 8 ++++----
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 6529b6660..2abdf1e78 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,10 @@ Security
    * Fix potential heap corruption on Windows when
      x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
      triggered remotely. Found by Guido Vranken, Interlworks.
+   * Fix potential buffer overflow in some asn1_write_xxx() functions.
+     Cannot be triggered remotely unless you create X.509 certificates based
+     on untrusted input or write keys of untrusted origin. Found by Guido
+     Vranken, Interlworks.
 
 = Version 1.2.17 released 2015-10-06
 
diff --git a/library/asn1write.c b/library/asn1write.c
index 3d6f1016c..6c520dc48 100644
--- a/library/asn1write.c
+++ b/library/asn1write.c
@@ -78,7 +78,7 @@ int asn1_write_mpi( unsigned char **p, unsigned char *start, mpi *X )
     //
     len = mpi_size( X );
 
-    if( *p - start < (int) len )
+    if( *p < start || (size_t)( *p - start ) < len )
         return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
 
     (*p) -= len;
@@ -127,7 +127,7 @@ int asn1_write_oid( unsigned char **p, unsigned char *start, char *oid )
     //
     len = strlen( oid );
 
-    if( *p - start < (int) len )
+    if( *p < start || (size_t)( *p - start ) < len )
         return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
 
     (*p) -= len;
@@ -203,7 +203,7 @@ int asn1_write_printable_string( unsigned char **p, unsigned char *start,
     //
     len = strlen( text );
 
-    if( *p - start < (int) len )
+    if( *p < start || (size_t)( *p - start ) < len )
         return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
 
     (*p) -= len;
@@ -225,7 +225,7 @@ int asn1_write_ia5_string( unsigned char **p, unsigned char *start,
     //
     len = strlen( text );
 
-    if( *p - start < (int) len )
+    if( *p < start || (size_t)( *p - start ) < len )
         return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
 
     (*p) -= len;