TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 64f65e84bc354462cd807d1d9ce82d1381a46643^! / .
commit64f65e84bc354462cd807d1d9ce82d1381a46643[log] [tgz]
authorManuel Pégourié-Gonnard <mpg@elzevir.fr>Fri Apr 10 17:23:05 2015 +0200
committerManuel Pégourié-Gonnard <mpg@elzevir.fr>Thu Apr 23 10:55:04 2015 +0200
treecf0eb0c65fb78e98cbfb10a5645ee188315b53ee
parent82f1a88a924564e66796473aa9c1eadd1eb2ea0b [diff]
Fix potential unintended sign extension

Backport of 6fdc4cae from the 1.3 branch

diff --git a/ChangeLog b/ChangeLog
index c6befa9..7ee4050 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -6,6 +6,10 @@
    * Fix potential invalid memory read in the server, that allows a client to
      crash it remotely (found by Caj Larsson).
 
+Bugfix
+   * Fix potential unintended sign extension in asn1_get_len() on 64-bit
+     platforms (found with Coverity Scan).
+
 = Version 1.2.13 released 2015-02-16
 Note: Although PolarSSL has been renamed to mbed TLS, no changes reflecting
       this will be made in the 1.2 branch at this point.

diff --git a/library/asn1parse.c b/library/asn1parse.c
index 928924f..636ab60 100644
--- a/library/asn1parse.c
+++ b/library/asn1parse.c

@@ -62,7 +62,7 @@
             if( ( end - *p ) < 3 )
                 return( POLARSSL_ERR_ASN1_OUT_OF_DATA );
 
-            *len = ( (*p)[1] << 8 ) | (*p)[2];
+            *len = ( (size_t)(*p)[1] << 8 ) | (*p)[2];
             (*p) += 3;
             break;
 
@@ -70,7 +70,8 @@
             if( ( end - *p ) < 4 )
                 return( POLARSSL_ERR_ASN1_OUT_OF_DATA );
 
-            *len = ( (*p)[1] << 16 ) | ( (*p)[2] << 8 ) | (*p)[3];
+            *len = ( (size_t)(*p)[1] << 16 ) |
+                   ( (size_t)(*p)[2] << 8  ) | (*p)[3];
             (*p) += 4;
             break;
 
@@ -78,7 +79,8 @@
             if( ( end - *p ) < 5 )
                 return( POLARSSL_ERR_ASN1_OUT_OF_DATA );
 
-            *len = ( (*p)[1] << 24 ) | ( (*p)[2] << 16 ) | ( (*p)[3] << 8 ) | (*p)[4];
+            *len = ( (size_t)(*p)[1] << 24 ) | ( (size_t)(*p)[2] << 16 ) |
+                   ( (size_t)(*p)[3] << 8  ) |           (*p)[4];
             (*p) += 5;
             break;