mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-26 05:45:38 +01:00
Fix other occurrences of same bounds check issue
Security impact is the same: not triggerrable remotely except in very specific use cases
This commit is contained in:
parent
0d66bb959f
commit
5784dd5ac8
@ -96,7 +96,7 @@ static int pk_write_ec_pubkey( unsigned char **p, unsigned char *start,
|
|||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
if( *p - start < (int) len )
|
if( *p < start || (size_t)( *p - start ) < len )
|
||||||
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
|
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
|
||||||
|
|
||||||
*p -= len;
|
*p -= len;
|
||||||
|
@ -259,13 +259,16 @@ int mbedtls_x509_write_sig( unsigned char **p, unsigned char *start,
|
|||||||
int ret;
|
int ret;
|
||||||
size_t len = 0;
|
size_t len = 0;
|
||||||
|
|
||||||
if( *p - start < (int) size + 1 )
|
if( *p < start || (size_t)( *p - start ) < size )
|
||||||
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
|
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
|
||||||
|
|
||||||
len = size;
|
len = size;
|
||||||
(*p) -= len;
|
(*p) -= len;
|
||||||
memcpy( *p, sig, len );
|
memcpy( *p, sig, len );
|
||||||
|
|
||||||
|
if( *p - start < 1 )
|
||||||
|
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
|
||||||
|
|
||||||
*--(*p) = 0;
|
*--(*p) = 0;
|
||||||
len += 1;
|
len += 1;
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user