From 639a551c6d4707c7fb880412d695dbdd31f60cf3 Mon Sep 17 00:00:00 2001
From: Andrew Hamilton <adhamilt@gmail.com>
Date: Mon, 7 Jul 2025 10:23:59 +0900
Subject: [PATCH] x509: fix read buffer overrun in SCT timestamps

Prevent reading beyond heap buffer in call to _gnutls_parse_ct_sct
when processing x509 Signed Certificate Timestamps with certain
malformed data. Spotted by oss-fuzz at:
https://issues.oss-fuzz.com/issues/42530513

Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
 lib/x509/x509_ext.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/x509/x509_ext.c b/lib/x509/x509_ext.c
index ad3af1430a..9a36f3536b 100644
--- a/lib/x509/x509_ext.c
+++ b/lib/x509/x509_ext.c
@@ -3759,7 +3759,7 @@ int gnutls_x509_ext_ct_import_scts(const gnutls_datum_t *ext,
 	}
 
 	length = _gnutls_read_uint16(scts_content.data);
-	if (length < 4) {
+	if (length < 4 || length > scts_content.size) {
 		gnutls_free(scts_content.data);
 		return GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE;
 	}
-- 
2.50.0