mirror of
https://github.com/radareorg/radare2.git
synced 2024-12-05 12:08:24 +00:00
Fix oob read in r_asn1.c
Variable used as length delemiter was user controlled producing oob
This commit is contained in:
parent
4e19275c1a
commit
a71a41bd5f
@ -317,6 +317,10 @@ static RASN1Object *asn1_parse_header (const ut8 *buffer, ut32 length) {
|
|||||||
object->form = head & ASN1_FORM;
|
object->form = head & ASN1_FORM;
|
||||||
object->tag = head & ASN1_TAG;
|
object->tag = head & ASN1_TAG;
|
||||||
length8 = buffer[1];
|
length8 = buffer[1];
|
||||||
|
if (length8 > length) {
|
||||||
|
//this length8 is user controlled and can produce oob
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
if (length8 & ASN1_LENLONG) {
|
if (length8 & ASN1_LENLONG) {
|
||||||
length64 = 0;
|
length64 = 0;
|
||||||
length8 &= ASN1_LENSHORT;
|
length8 &= ASN1_LENSHORT;
|
||||||
|
Loading…
Reference in New Issue
Block a user