Fix 1 byte overread in mbedtls_asn1_get_int()
diff --git a/ChangeLog b/ChangeLog
index 4af1675..3521246 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -16,7 +16,10 @@
when GCM is used. #441
* Fix for key exchanges based on ECDH-RSA or ECDH-ECDSA which weren't
enabled unless others were also present. Found by David Fernandez. #428
- * Fixed configuration of debug output in cert_app sample program.
+ * Fixed cert_app sample program for debug output and for use when no root
+ certificates are provided.
+ * Fix conditional statement that would cause a 1 byte overread in
+ mbedtls_asn1_get_int(). Found and fixed by Guido Vranken.
* Fixed the sample applications gen_key.c, cert_req.c and cert_write.c for
builds where the configuration POLARSSL_PEM_WRITE_C is not defined. Found
by inestlerode. #559.
diff --git a/library/asn1parse.c b/library/asn1parse.c
index e4f46eb..8c167df 100644
--- a/library/asn1parse.c
+++ b/library/asn1parse.c
@@ -154,7 +154,7 @@
if( ( ret = asn1_get_tag( p, end, &len, ASN1_INTEGER ) ) != 0 )
return( ret );
- if( len > sizeof( int ) || ( **p & 0x80 ) != 0 )
+ if( len == 0 || len > sizeof( int ) || ( **p & 0x80 ) != 0 )
return( POLARSSL_ERR_ASN1_INVALID_LENGTH );
*val = 0;