Fix other occurrences of same bounds check issue Security impact is the same: not triggerrable remotely except in very specific use cases

commit: 5784dd5ac8159b2e41cfb640cb3f963e86375646 [log] [tgz]
author: Manuel Pégourié-Gonnard <mpg2@elzevir.fr> Wed Oct 21 12:23:09 2015 +0200
committer: Manuel Pégourié-Gonnard <mpg2@elzevir.fr> Mon Nov 02 10:43:03 2015 +0900
tree: 0507ccc9a0bbc6d416c4c07f95d6e212336f9584
parent: 0d66bb959ff42bbd527cda3e389cae202ce75aba [diff] [blame]
diff --git a/library/x509_create.c b/library/x509_create.c
index 3b773c0..df20ec8 100644
--- a/library/x509_create.c
+++ b/library/x509_create.c

@@ -259,13 +259,16 @@
     int ret;
     size_t len = 0;
 
-    if( *p - start < (int) size + 1 )
+    if( *p < start || (size_t)( *p - start ) < size )
         return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
 
     len = size;
     (*p) -= len;
     memcpy( *p, sig, len );
 
+    if( *p - start < 1 )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
     *--(*p) = 0;
     len += 1;
commit	5784dd5ac8159b2e41cfb640cb3f963e86375646	[log] [tgz]
author	Manuel Pégourié-Gonnard <mpg2@elzevir.fr>	Wed Oct 21 12:23:09 2015 +0200
committer	Manuel Pégourié-Gonnard <mpg2@elzevir.fr>	Mon Nov 02 10:43:03 2015 +0900
tree	0507ccc9a0bbc6d416c4c07f95d6e212336f9584
parent	0d66bb959ff42bbd527cda3e389cae202ce75aba [diff] [blame]