Fix potential buffer overflow in asn1write
diff --git a/ChangeLog b/ChangeLog
index aa96b18..998baed 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,13 @@
mbed TLS ChangeLog (Sorted per branch, date)
+= mbed TLS 2.2.R0released 2015-10-xx
+
+Security
+ * Fix potential buffer overflow in some asn1_write_xxx() functions.
+ Cannot be triggered remotely unless you create X.509 certificates based
+ on untrusted input or write keys of untrusted origin. Found by Guido
+ Vranken, Interlworks.
+
= mbed TLS 2.1.2 released 2015-10-06
Security
diff --git a/library/asn1write.c b/library/asn1write.c
index dd5a745..fd262a5 100644
--- a/library/asn1write.c
+++ b/library/asn1write.c
@@ -87,7 +87,7 @@
{
size_t len = 0;
- if( *p - start < (int) size )
+ if( *p < start || (size_t)( *p - start ) < size )
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
len = size;
@@ -107,7 +107,7 @@
//
len = mbedtls_mpi_size( X );
- if( *p - start < (int) len )
+ if( *p < start || (size_t)( *p - start ) < len )
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
(*p) -= len;
@@ -270,7 +270,7 @@
// Calculate byte length
//
- if( *p - start < (int) size + 1 )
+ if( *p < start || (size_t)( *p - start ) < size + 1 )
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
len = size + 1;