Fix other occurrences of same bounds check issue Security impact is the same: not triggerrable remotely except in very specific use cases backport of 4dc9b39

commit: 8abc22dde5410fea5eab43544a93bda3945f275b [log] [tgz]
author: Manuel Pégourié-Gonnard <mpg2@elzevir.fr> Wed Oct 21 12:23:09 2015 +0200
committer: Manuel Pégourié-Gonnard <mpg2@elzevir.fr> Tue Oct 27 11:47:37 2015 +0100
tree: 516a437ba82873f5684036f99deeac2bce5d637b
parent: 758f490c90eedcea91a8859eef035640c9a30f5b [diff]
diff --git a/library/pkwrite.c b/library/pkwrite.c
index 35dbd0b..bb9514e 100644
--- a/library/pkwrite.c
+++ b/library/pkwrite.c

@@ -97,7 +97,7 @@
         return( ret );
     }
 
-    if( *p - start < (int) len )
+    if( *p < start || (size_t)( *p - start ) < len )
         return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
 
     *p -= len;

diff --git a/library/x509_create.c b/library/x509_create.c
index f505bab..b2cbdd4 100644
--- a/library/x509_create.c
+++ b/library/x509_create.c

@@ -265,13 +265,16 @@
     int ret;
     size_t len = 0;
 
-    if( *p - start < (int) size + 1 )
+    if( *p < start || (size_t)( *p - start ) < size )
         return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
 
     len = size;
     (*p) -= len;
     memcpy( *p, sig, len );
 
+    if( *p - start < 1 )
+        return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
+
     *--(*p) = 0;
     len += 1;
commit	8abc22dde5410fea5eab43544a93bda3945f275b	[log] [tgz]
author	Manuel Pégourié-Gonnard <mpg2@elzevir.fr>	Wed Oct 21 12:23:09 2015 +0200
committer	Manuel Pégourié-Gonnard <mpg2@elzevir.fr>	Tue Oct 27 11:47:37 2015 +0100
tree	516a437ba82873f5684036f99deeac2bce5d637b
parent	758f490c90eedcea91a8859eef035640c9a30f5b [diff]