diff options
| author | Werner Koch <wk@gnupg.org> | 2022-10-07 14:12:33 +0200 |
|---|---|---|
| committer | Werner Koch <wk@gnupg.org> | 2022-10-07 14:20:53 +0200 |
| commit | 94d13f53a3b4c49472db1b17f12844c94a69aba4 (patch) | |
| tree | f725a2450abe793c81477bacec36ca1ea9af6da4 | |
| parent | po: Fix wrong LF in the German translation (diff) | |
| download | gnupg2-94d13f53a3b4c49472db1b17f12844c94a69aba4.tar.xz gnupg2-94d13f53a3b4c49472db1b17f12844c94a69aba4.zip | |
common: Protect against a theoretical integer overflow in tlv.c
* common/tlv.c (parse_ber_header): Protect agains integer overflow.
--
Although there is no concrete case where we use the (nhdr + length),
it is better to protect against this already here.
| -rw-r--r-- | common/tlv.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/common/tlv.c b/common/tlv.c index abef83a37..9618d04cb 100644 --- a/common/tlv.c +++ b/common/tlv.c @@ -222,6 +222,11 @@ parse_ber_header (unsigned char const **buffer, size_t *size, *r_length = len; } + if (*r_length > *r_nhdr && (*r_nhdr + *r_length) < *r_length) + { + return gpg_err_make (default_errsource, GPG_ERR_EOVERFLOW); + } + /* Without this kludge some example certs can't be parsed. */ if (*r_class == CLASS_UNIVERSAL && !*r_tag) *r_length = 0; |