| From 24ed1d41707f873f3b7a22159e4bb3942f319fac Mon Sep 17 00:00:00 2001 |
| From: mancha <mancha1@zoho.com> |
| Date: Sun, 1 Jun 2014 |
| Subject: CVE-2014-3468 |
| |
| This is a backport adaptation for use with GnuTLS 2.12.23. |
| |
| Relevant upstream commit(s): |
| ------------------------- |
| http://git.savannah.gnu.org/cgit/libtasn1.git/commit/?id=1c3ccb3e040bf1 |
| |
| --- |
| lib/minitasn1/decoding.c | 7 +++++-- |
| 1 file changed, 5 insertions(+), 2 deletions(-) |
| |
| --- a/lib/minitasn1/decoding.c |
| +++ b/lib/minitasn1/decoding.c |
| @@ -226,7 +226,7 @@ asn1_get_octet_der (const unsigned char |
| int *ret_len, unsigned char *str, int str_size, |
| int *str_len) |
| { |
| - int len_len; |
| + int len_len = 0; |
| |
| if (der_len <= 0) |
| return ASN1_GENERIC_ERROR; |
| @@ -347,7 +347,7 @@ asn1_get_bit_der (const unsigned char *d |
| int *ret_len, unsigned char *str, int str_size, |
| int *bit_len) |
| { |
| - int len_len, len_byte; |
| + int len_len = 0, len_byte; |
| |
| if (der_len <= 0) |
| return ASN1_GENERIC_ERROR; |
| @@ -358,6 +358,9 @@ asn1_get_bit_der (const unsigned char *d |
| *ret_len = len_byte + len_len + 1; |
| *bit_len = len_byte * 8 - der[len_len]; |
| |
| + if (*bit_len <= 0) |
| + return ASN1_DER_ERROR; |
| + |
| if (str_size >= len_byte) |
| memcpy (str, der + len_len + 1, len_byte); |
| else |
