~ubuntu-branches/ubuntu/lucid/libtasn1-3/lucid-security

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
Description: fix denial of service and possible code execution via
 overflow in _asn1_ltostr
Origin: backport, http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commit;h=e47b2a0651ffe1867c844968ade7f6127957bf13
Origin: backport, http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commitdiff;h=4d4f992826a4962790ecd0cce6fbba4a415ce149

Index: libtasn1-3-2.4/lib/coding.c
===================================================================
--- libtasn1-3-2.4.orig/lib/coding.c	2015-04-02 11:27:46.846135766 -0400
+++ libtasn1-3-2.4/lib/coding.c	2015-04-02 11:36:09.974124773 -0400
@@ -35,6 +35,10 @@
 
 #define MAX_TAG_LEN 16
 
+#ifndef MAX
+# define MAX(a,b) ((a) > (b) ? (a) : (b))
+#endif
+
 /******************************************************/
 /* Function : _asn1_error_description_value_not_found */
 /* Description: creates the ErrorDescription string   */
@@ -448,7 +452,7 @@
 {
   ASN1_TYPE p;
   int tag_len, is_tag_implicit;
-  unsigned char class, class_implicit = 0, temp[SIZEOF_UNSIGNED_INT * 3 + 1];
+  unsigned char class, class_implicit = 0, temp[MAX(SIZEOF_UNSIGNED_INT * 3 + 1, LTOSTR_MAX_SIZE)];
   unsigned long tag_implicit = 0;
   char tag_der[MAX_TAG_LEN];
 
@@ -874,7 +878,7 @@
 		 char *ErrorDescription)
 {
   ASN1_TYPE node, p, p2;
-  char temp[SIZEOF_UNSIGNED_LONG_INT * 3 + 1];
+  char temp[MAX(LTOSTR_MAX_SIZE, SIZEOF_UNSIGNED_LONG_INT * 3 + 1)];
   int counter, counter_old, len2, len3, tlen, move, max_len, max_len_old;
   asn1_retCode err;
   unsigned char *der = ider;
Index: libtasn1-3-2.4/lib/decoding.c
===================================================================
--- libtasn1-3-2.4.orig/lib/decoding.c	2015-04-02 11:27:46.846135766 -0400
+++ libtasn1-3-2.4/lib/decoding.c	2015-04-02 11:27:46.846135766 -0400
@@ -286,7 +286,7 @@
 {
   int len_len, len, k;
   int leading;
-  char temp[20];
+  char temp[LTOSTR_MAX_SIZE];
   unsigned long val, val1, prev_val;
 
   *ret_len = 0;
Index: libtasn1-3-2.4/lib/element.c
===================================================================
--- libtasn1-3-2.4.orig/lib/element.c	2015-04-02 11:27:46.846135766 -0400
+++ libtasn1-3-2.4/lib/element.c	2015-04-02 11:27:46.846135766 -0400
@@ -134,7 +134,7 @@
 _asn1_append_sequence_set (ASN1_TYPE node)
 {
   ASN1_TYPE p, p2;
-  char temp[10];
+  char temp[LTOSTR_MAX_SIZE];
   long n;
 
   if (!node || !(node->down))
Index: libtasn1-3-2.4/lib/parser_aux.c
===================================================================
--- libtasn1-3-2.4.orig/lib/parser_aux.c	2015-04-02 11:27:46.846135766 -0400
+++ libtasn1-3-2.4/lib/parser_aux.c	2015-04-02 11:27:46.846135766 -0400
@@ -580,10 +580,10 @@
 
 
 char *
-_asn1_ltostr (long v, char *str)
+_asn1_ltostr (long v, char str[LTOSTR_MAX_SIZE])
 {
   long d, r;
-  char temp[20];
+  char temp[LTOSTR_MAX_SIZE];
   int count, k, start;
 
   if (v < 0)
@@ -604,7 +604,7 @@
       count++;
       v = d;
     }
-  while (v);
+  while (v && ((start+count) < LTOSTR_MAX_SIZE-1));
 
   for (k = 0; k < count; k++)
     str[k + start] = temp[start + count - k - 1];
Index: libtasn1-3-2.4/lib/parser_aux.h
===================================================================
--- libtasn1-3-2.4.orig/lib/parser_aux.h	2015-04-02 11:27:46.846135766 -0400
+++ libtasn1-3-2.4/lib/parser_aux.h	2015-04-02 11:27:46.846135766 -0400
@@ -42,7 +42,9 @@
 
 void _asn1_delete_list_and_nodes (void);
 
-char *_asn1_ltostr (long v, char *str);
+/* Max 64-bit integer length is 20 chars + 1 for sign + 1 for null termination */
+#define LTOSTR_MAX_SIZE 22
+char *_asn1_ltostr (long v, char str[LTOSTR_MAX_SIZE]);
 
 ASN1_TYPE _asn1_find_up (ASN1_TYPE node);