commit 4269ee6f2dbc38656f4415110bb423fff3f157ff
author Gilles Peskine <Gilles.Peskine@arm.com> Wed Jun 26 23:32:50 2024 +0200
committer Gilles Peskine <Gilles.Peskine@arm.com> Thu Jul 25 18:39:53 2024 +0200
tree de7d97c34a7a881c84a027bac1e02d0113393058
parent f6275b745f7f6c019815fafcd4a69e6ca6df5745

Fix stack buffer overflow in ECDSA signature format conversions

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

library/psa_util.c

diff --git a/library/psa_util.c b/library/psa_util.c
index 4ccc5b0..679d00e 100644
--- a/library/psa_util.c
+++ b/library/psa_util.c
@@ -443,6 +443,9 @@
     if (raw_len != (2 * coordinate_len)) {
         return MBEDTLS_ERR_ASN1_INVALID_DATA;
     }
+    if (coordinate_len > sizeof(r)) {
+        return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+    }
 
     /* Since raw and der buffers might overlap, dump r and s before starting
      * the conversion. */
@@ -561,6 +564,9 @@
     if (raw_size < coordinate_size * 2) {
         return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
     }
+    if (2 * coordinate_size > sizeof(raw_tmp)) {
+        return MBEDTLS_ERR_ASN1_BUF_TOO_SMALL;
+    }
 
     /* Check that the provided input DER buffer has the right header. */
     ret = mbedtls_asn1_get_tag(&p, der + der_len, &data_len,