1*4882a593SmuzhiyunFrom 25c26a3b7a9ad8192ccc923e15cf62bf0108ef94 Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: werew <werew@ret2libc.com> 3*4882a593SmuzhiyunDate: Thu, 3 Oct 2019 19:57:10 +0200 4*4882a593SmuzhiyunSubject: [PATCH] Fixes #507 5*4882a593Smuzhiyun 6*4882a593SmuzhiyunFix a vulnerability in der_decode_utf8_string as specified here: 7*4882a593Smuzhiyunhttps://github.com/libtom/libtomcrypt/issues/507 8*4882a593Smuzhiyun 9*4882a593Smuzhiyun[for import into Buildroot] 10*4882a593SmuzhiyunSigned-off-by: Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> 11*4882a593Smuzhiyun 12*4882a593Smuzhiyun 13*4882a593Smuzhiyun--- 14*4882a593Smuzhiyun src/pk/asn1/der/utf8/der_decode_utf8_string.c | 2 +- 15*4882a593Smuzhiyun 1 file changed, 1 insertion(+), 1 deletion(-) 16*4882a593Smuzhiyun 17*4882a593Smuzhiyundiff --git a/src/pk/asn1/der/utf8/der_decode_utf8_string.c b/src/pk/asn1/der/utf8/der_decode_utf8_string.c 18*4882a593Smuzhiyunindex 94555b99f..d3ed82bea 100644 19*4882a593Smuzhiyun--- a/src/pk/asn1/der/utf8/der_decode_utf8_string.c 20*4882a593Smuzhiyun+++ b/src/pk/asn1/der/utf8/der_decode_utf8_string.c 21*4882a593Smuzhiyun@@ -65,7 +65,7 @@ int der_decode_utf8_string(const unsigned char *in, unsigned long inlen, 22*4882a593Smuzhiyun /* count number of bytes */ 23*4882a593Smuzhiyun for (z = 0; (tmp & 0x80) && (z <= 4); z++, tmp = (tmp << 1) & 0xFF); 24*4882a593Smuzhiyun 25*4882a593Smuzhiyun- if (z > 4 || (x + (z - 1) > inlen)) { 26*4882a593Smuzhiyun+ if (z == 1 || z > 4 || (x + (z - 1) > inlen)) { 27*4882a593Smuzhiyun return CRYPT_INVALID_PACKET; 28*4882a593Smuzhiyun } 29*4882a593Smuzhiyun 30