summaryrefslogtreecommitdiffstats
path: root/patches/source/libtasn1/libtasn1.CVE-2014-3467_8_9.diff
diff options
context:
space:
mode:
Diffstat (limited to 'patches/source/libtasn1/libtasn1.CVE-2014-3467_8_9.diff')
-rw-r--r--patches/source/libtasn1/libtasn1.CVE-2014-3467_8_9.diff152
1 files changed, 152 insertions, 0 deletions
diff --git a/patches/source/libtasn1/libtasn1.CVE-2014-3467_8_9.diff b/patches/source/libtasn1/libtasn1.CVE-2014-3467_8_9.diff
new file mode 100644
index 000000000..9b190c611
--- /dev/null
+++ b/patches/source/libtasn1/libtasn1.CVE-2014-3467_8_9.diff
@@ -0,0 +1,152 @@
+diff -u -r libtasn1-2.14.orig/lib/decoding.c libtasn1-2.14/lib/decoding.c
+--- libtasn1-2.14.orig/lib/decoding.c 2012-09-13 01:16:23.000000000 -0500
++++ libtasn1-2.14/lib/decoding.c 2014-06-05 16:42:36.495243018 -0500
+@@ -149,7 +149,7 @@
+ /* Long form */
+ punt = 1;
+ ris = 0;
+- while (punt <= der_len && der[punt] & 128)
++ while (punt < der_len && der[punt] & 128)
+ {
+ last = ris;
+
+@@ -226,12 +226,11 @@
+ int *ret_len, unsigned char *str, int str_size,
+ int *str_len)
+ {
+- int len_len;
++ int len_len = 0;
+
+ if (der_len <= 0)
+ return ASN1_GENERIC_ERROR;
+
+- /* if(str==NULL) return ASN1_SUCCESS; */
+ *str_len = asn1_get_length_der (der, der_len, &len_len);
+
+ if (*str_len < 0)
+@@ -239,7 +238,10 @@
+
+ *ret_len = *str_len + len_len;
+ if (str_size >= *str_len)
+- memcpy (str, der + len_len, *str_len);
++ {
++ if (*str_len > 0 && str != NULL)
++ memcpy (str, der + len_len, *str_len);
++ }
+ else
+ {
+ return ASN1_MEM_ERROR;
+@@ -259,7 +261,7 @@
+ if (der_len <= 0 || str == NULL)
+ return ASN1_DER_ERROR;
+ str_len = asn1_get_length_der (der, der_len, &len_len);
+- if (str_len < 0 || str_size < str_len)
++ if (str_len <= 0 || str_size < str_len)
+ return ASN1_DER_ERROR;
+ memcpy (str, der + len_len, str_len);
+ str[str_len] = 0;
+@@ -285,7 +287,7 @@
+ return ASN1_GENERIC_ERROR;
+ len = asn1_get_length_der (der, der_len, &len_len);
+
+- if (len < 0 || len > der_len || len_len > der_len)
++ if (len <= 0 || len > der_len || len_len > der_len)
+ return ASN1_DER_ERROR;
+
+ val1 = der[len_len] / 40;
+@@ -347,7 +349,7 @@
+ int *ret_len, unsigned char *str, int str_size,
+ int *bit_len)
+ {
+- int len_len, len_byte;
++ int len_len = 0, len_byte;
+
+ if (der_len <= 0)
+ return ASN1_GENERIC_ERROR;
+@@ -358,8 +360,14 @@
+ *ret_len = len_byte + len_len + 1;
+ *bit_len = len_byte * 8 - der[len_len];
+
++ if (*bit_len <= 0)
++ return ASN1_DER_ERROR;
++
+ if (str_size >= len_byte)
+- memcpy (str, der + len_len + 1, len_byte);
++ {
++ if (len_byte > 0 && str)
++ memcpy (str, der + len_len + 1, len_byte);
++ }
+ else
+ {
+ return ASN1_MEM_ERROR;
+diff -u -r libtasn1-2.14.orig/lib/element.c libtasn1-2.14/lib/element.c
+--- libtasn1-2.14.orig/lib/element.c 2012-09-24 06:51:43.000000000 -0500
++++ libtasn1-2.14/lib/element.c 2014-06-05 16:50:27.290222945 -0500
+@@ -112,8 +112,11 @@
+ /* VALUE_OUT is too short to contain the value conversion */
+ return ASN1_MEM_ERROR;
+
+- for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++)
+- value_out[k2 - k] = val[k2];
++ if (value_out != NULL)
++ {
++ for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++)
++ value_out[k2 - k] = val[k2];
++ }
+
+ #if 0
+ printf ("_asn1_convert_integer: valueIn=%s, lenOut=%d", value, *len);
+@@ -617,7 +620,8 @@
+ if (ptr_size < data_size) { \
+ return ASN1_MEM_ERROR; \
+ } else { \
+- memcpy( ptr, data, data_size); \
++ if (ptr && data_size > 0) \
++ memcpy( ptr, data, data_size); \
+ }
+
+ #define PUT_STR_VALUE( ptr, ptr_size, data) \
+@@ -626,16 +630,19 @@
+ return ASN1_MEM_ERROR; \
+ } else { \
+ /* this strcpy is checked */ \
+- _asn1_strcpy(ptr, data); \
++ if (ptr) { \
++ _asn1_strcpy(ptr, data); \
++ } \
+ }
+
+ #define ADD_STR_VALUE( ptr, ptr_size, data) \
+- *len = (int) _asn1_strlen(data) + 1; \
+- if (ptr_size < (int) _asn1_strlen(ptr)+(*len)) { \
++ *len += _asn1_strlen(data); \
++ if (ptr_size < (int) *len) { \
++ (*len)++; \
+ return ASN1_MEM_ERROR; \
+ } else { \
+ /* this strcat is checked */ \
+- _asn1_strcat(ptr, data); \
++ if (ptr) _asn1_strcat(ptr, data); \
+ }
+
+ /**
+@@ -792,7 +799,9 @@
+ case TYPE_OBJECT_ID:
+ if (node->type & CONST_ASSIGN)
+ {
+- value[0] = 0;
++ *len = 0;
++ if (value)
++ value[0] = 0;
+ p = node->down;
+ while (p)
+ {
+@@ -806,7 +815,7 @@
+ }
+ p = p->right;
+ }
+- *len = _asn1_strlen (value) + 1;
++ (*len)++;
+ }
+ else if ((node->type & CONST_DEFAULT) && (node->value == NULL))
+ {
generated by cgit v1.2.3 (git 2.26.2) at 2024-04-25 05:58:52 +0000