TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 80e6cffcadd0c79b231a280ac583b288587fdb42^! / . / library
commit80e6cffcadd0c79b231a280ac583b288587fdb42[log] [tgz]
authorManuel Pégourié-Gonnard <mpg@elzevir.fr>Wed Oct 21 10:16:29 2015 +0200
committerManuel Pégourié-Gonnard <mpg2@elzevir.fr>Tue Oct 27 11:30:31 2015 +0100
tree65f70962bf04d9da20663970cfc88730abb90bf9
parent69994584c7731828d2709869697681b6ed50011d [diff]
Fix potential heap corruption on Windows

If len is large enough, when cast to an int it will be negative and then the
test if( len > MAX_PATH - 3 ) will not behave as expected.

Ref: IOTSSL-518

backport of 261faed725e29bd34abbf1f95df5fab43791f40c

diff --git a/library/x509parse.c b/library/x509parse.c
index c98145b..11e7841 100644
--- a/library/x509parse.c
+++ b/library/x509parse.c

@@ -1932,7 +1932,7 @@
     WCHAR szDir[MAX_PATH];
     char filename[MAX_PATH];
 	char *p;
-    int len = strlen( path );
+    size_t len = strlen( path );
 
 	WIN32_FIND_DATAW file_data;
     HANDLE hFind;
@@ -1947,7 +1947,7 @@
 	p = filename + len;
     filename[len++] = '*';
 
-	w_ret = MultiByteToWideChar( CP_ACP, 0, filename, len, szDir, MAX_PATH - 3 );
+	w_ret = MultiByteToWideChar( CP_ACP, 0, filename, (int) len, szDir, MAX_PATH - 3 );
     if( w_ret == 0 )
         return( POLARSSL_ERR_X509_INVALID_INPUT );
 
@@ -1965,7 +1965,7 @@
 
 		w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName,
 									 lstrlenW(file_data.cFileName),
-									 p, len - 1,
+									 p, (int) len - 1,
 									 NULL, NULL );
         if( w_ret == 0 )
             return( POLARSSL_ERR_X509_FILE_IO_ERROR );