mbedtls_asn1_get_int: fix int overflow Fix a signed int overflow in mbedtls_asn1_get_int() for numbers between INT_MAX+1 and UINT_MAX (typically 0x80000000..0xffffffff). This was undefined behavior which in practice would typically have resulted in an incorrect value, but which may plausibly also have caused the postcondition (*p == initial<*p> + len) to be violated. Credit to OSS-Fuzz.

commit: 37570e81528d3a1d7354ece12dfb972e5f576e39 [log] [tgz]
author: Gilles Peskine <Gilles.Peskine@arm.com> Thu Oct 10 19:29:27 2019 +0200
committer: Gilles Peskine <Gilles.Peskine@arm.com> Thu Oct 10 19:29:27 2019 +0200
tree: 001af240835eb030b5589b2d5d5d7e8f8d72239d
parent: 9fd9794d109ffbd7f9ebed92f4a90dc429e1a1df [diff] [blame]
diff --git a/library/asn1parse.c b/library/asn1parse.c
index 4f9d6ae..412259e 100644
--- a/library/asn1parse.c
+++ b/library/asn1parse.c

@@ -167,6 +167,8 @@
      * the int type has no padding bit. */
     if( len > sizeof( int ) )
         return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
+    if( len == sizeof( int ) && ( **p & 0x80 ) != 0 )
+        return( MBEDTLS_ERR_ASN1_INVALID_LENGTH );
 
     *val = 0;
     while( len-- > 0 )
commit	37570e81528d3a1d7354ece12dfb972e5f576e39	[log] [tgz]
author	Gilles Peskine <Gilles.Peskine@arm.com>	Thu Oct 10 19:29:27 2019 +0200
committer	Gilles Peskine <Gilles.Peskine@arm.com>	Thu Oct 10 19:29:27 2019 +0200
tree	001af240835eb030b5589b2d5d5d7e8f8d72239d
parent	9fd9794d109ffbd7f9ebed92f4a90dc429e1a1df [diff] [blame]