rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity
bc603de2a8
krb5/krb5-CVE-2009-0847.patch

35 lines
1.3 KiB
Diff
Raw Blame History

diff --git a/src/lib/krb5/asn.1/asn1buf.c b/src/lib/krb5/asn.1/asn1buf.c
index 8baac24..587cccc 100644
--- a/src/lib/krb5/asn.1/asn1buf.c
+++ b/src/lib/krb5/asn.1/asn1buf.c
@@ -78,11 +78,11 @@ asn1_error_code asn1buf_wrap_data(asn1buf *buf, const krb5_data *code)
asn1_error_code asn1buf_imbed(asn1buf *subbuf, const asn1buf *buf, const unsigned int length, const int indef)
{
+ if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
subbuf->base = subbuf->next = buf->next;
if (!indef) {
+ if (length > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN;
subbuf->bound = subbuf->base + length - 1;
- if (subbuf->bound > buf->bound)
- return ASN1_OVERRUN;
} else /* constructed indefinite */
subbuf->bound = buf->bound;
return 0;
@@ -200,6 +200,7 @@ asn1_error_code asn1buf_remove_octetstring(asn1buf *buf, const unsigned int len,
{
int i;
+ if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
if (len == 0) {
*s = 0;
@@ -218,6 +219,7 @@ asn1_error_code asn1buf_remove_charstring(asn1buf *buf, const unsigned int len,
{
int i;
+ if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
if (len == 0) {
*s = 0;
Reference in New Issue View Git Blame Copy Permalink