Fix potential heap corruption on Windows
If len is large enough, when cast to an int it will be negative and then the
test if( len > MAX_PATH - 3 ) will not behave as expected.
diff --git a/ChangeLog b/ChangeLog
index ac33f5b..85909ca 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -6,6 +6,9 @@
* Fix potential double free if mbedtls_ssl_conf_psk() is called more than
once and some allocation fails. Cannot be forced remotely. Found by Guido
Vranken, Intelworks.
+ * Fix potential heap corruption on Windows when
+ mbedtls_x509_crt_parse_path() is passed a path longer than 2GB. Cannot be
+ triggered remotely. Found by Guido Vranken, Interlworks.
* The X509 max_pathlen constraint was not enforced on intermediate
certificates. Found by Nicholas Wilson, fix and tests provided by
Janos Follath. #280 and #319
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 579fbb7..91e4f50 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1099,7 +1099,7 @@
WCHAR szDir[MAX_PATH];
char filename[MAX_PATH];
char *p;
- int len = (int) strlen( path );
+ size_t len = strlen( path );
WIN32_FIND_DATAW file_data;
HANDLE hFind;
@@ -1133,7 +1133,7 @@
w_ret = WideCharToMultiByte( CP_ACP, 0, file_data.cFileName,
lstrlenW( file_data.cFileName ),
- p, len - 1,
+ p, (int) len - 1,
NULL, NULL );
if( w_ret == 0 )
return( MBEDTLS_ERR_X509_FILE_IO_ERROR );