Fix oob read in r_asn1.c

Variable used as length delemiter was user controlled producing oob
This commit is contained in:
alvarofe 2017-05-06 23:23:21 +02:00
parent 4e19275c1a
commit a71a41bd5f

View File

@ -317,6 +317,10 @@ static RASN1Object *asn1_parse_header (const ut8 *buffer, ut32 length) {
object->form = head & ASN1_FORM; object->form = head & ASN1_FORM;
object->tag = head & ASN1_TAG; object->tag = head & ASN1_TAG;
length8 = buffer[1]; length8 = buffer[1];
if (length8 > length) {
//this length8 is user controlled and can produce oob
return NULL;
}
if (length8 & ASN1_LENLONG) { if (length8 & ASN1_LENLONG) {
length64 = 0; length64 = 0;
length8 &= ASN1_LENSHORT; length8 &= ASN1_LENSHORT;