commit 7077781af53ebfc114b3a6b3c1ef7edce78a89c6
author Gilles Peskine <Gilles.Peskine@arm.com> Thu Sep 21 16:50:40 2023 +0200
committer Gilles Peskine <Gilles.Peskine@arm.com> Mon Sep 25 19:59:31 2023 +0200
tree b2eeb04840a1ba8708a762a849ada74a1e4222ab
parent aa01a038b521931382951036a5cd49bddcc40b51

Fix integer overflow with an input buffer larger than INT_MAX

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>

library/x509_create.c

diff --git a/library/x509_create.c b/library/x509_create.c
index b6895bf..2bea28e 100644
--- a/library/x509_create.c
+++ b/library/x509_create.c
@@ -208,7 +208,7 @@
  *                  contains a null byte.
  */
 static int parse_attribute_value_hex_der_encoded(const char *s,
-                                                 int len,
+                                                 size_t len,
                                                  unsigned char *data,
                                                  size_t *data_len,
                                                  int *tag)
@@ -308,10 +308,12 @@
                 mbedtls_free(oid.p);
                 return MBEDTLS_ERR_X509_INVALID_NAME;
             } else if (*s == '#') {
-                if ((parse_ret =
-                         parse_attribute_value_hex_der_encoded(s + 1, (int) (c - s - 1),
-                                                               data, &data_len,
-                                                               &tag)) != 0) {
+                /* We know that c >= s (loop invariant) and c != s (in this
+                 * else branch), hence c - s - 1 >= 0. */
+                parse_ret = parse_attribute_value_hex_der_encoded(
+                    s + 1, c - s - 1,
+                    data, &data_len, &tag);
+                if (parse_ret != 0) {
                     mbedtls_free(oid.p);
                     return MBEDTLS_ERR_X509_INVALID_NAME;
                 }