Magic-Mirror/radare2
1
0
Fork 0
mirror of https://github.com/radareorg/radare2.git synced 2024-12-04 19:47:31 +00:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

Fix oob read in r_asn1.c

Browse Source 
Variable used as length delemiter was user controlled producing oob
This commit is contained in:
alvarofe 2017-05-06 23:23:21 +02:00
parent 4e19275c1a
commit a71a41bd5f
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
libr/util/r_asn1.c
View File

@ -317,6 +317,10 @@ static RASN1Object *asn1_parse_header (const ut8 *buffer, ut32 length) {
object->form = head & ASN1_FORM;
object->tag = head & ASN1_TAG;
length8 = buffer[1];
if (length8 > length) {
//this length8 is user controlled and can produce oob
return NULL;
}
if (length8 & ASN1_LENLONG) {
length64 = 0;
length8 &= ASN1_LENSHORT;