From a71a41bd5fdd65d248beea92bb274da0ee3d6e82 Mon Sep 17 00:00:00 2001 From: alvarofe Date: Sat, 6 May 2017 23:23:21 +0200 Subject: [PATCH] Fix oob read in r_asn1.c Variable used as length delemiter was user controlled producing oob --- libr/util/r_asn1.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libr/util/r_asn1.c b/libr/util/r_asn1.c index 3108519954..2330ce58e7 100644 --- a/libr/util/r_asn1.c +++ b/libr/util/r_asn1.c @@ -317,6 +317,10 @@ static RASN1Object *asn1_parse_header (const ut8 *buffer, ut32 length) { object->form = head & ASN1_FORM; object->tag = head & ASN1_TAG; length8 = buffer[1]; + if (length8 > length) { + //this length8 is user controlled and can produce oob + return NULL; + } if (length8 & ASN1_LENLONG) { length64 = 0; length8 &= ASN1_LENSHORT;