Fix potential buffer overflow in asn1write Ref: IOTSSL-519 backport of 22c3b7b

commit: 758f490c90eedcea91a8859eef035640c9a30f5b [log] [tgz]
author: Manuel Pégourié-Gonnard <mpg2@elzevir.fr> Wed Oct 21 12:07:47 2015 +0200
committer: Manuel Pégourié-Gonnard <mpg2@elzevir.fr> Tue Oct 27 11:47:37 2015 +0100
tree: 6f7afa8a983faa415a3b3fd4094c0b0c2d13306d
parent: 215a14bf29c5eac125ab986adefa37bb4fbc5284 [diff] [blame]
diff --git a/library/asn1write.c b/library/asn1write.c
index df9442e..87e130e 100644
--- a/library/asn1write.c
+++ b/library/asn1write.c

@@ -88,7 +88,7 @@
 {
     size_t len = 0;
 
-    if( *p - start < (int) size )
+    if( *p < start || (size_t)( *p - start ) < size )
         return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
 
     len = size;
@@ -108,7 +108,7 @@
     //
     len = mpi_size( X );
 
-    if( *p - start < (int) len )
+    if( *p < start || (size_t)( *p - start ) < len )
         return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
 
     (*p) -= len;
@@ -271,7 +271,7 @@
 
     // Calculate byte length
     //
-    if( *p - start < (int) size + 1 )
+    if( *p < start || (size_t)( *p - start ) < size + 1 )
         return( POLARSSL_ERR_ASN1_BUF_TOO_SMALL );
 
     len = size + 1;
commit	758f490c90eedcea91a8859eef035640c9a30f5b	[log] [tgz]
author	Manuel Pégourié-Gonnard <mpg2@elzevir.fr>	Wed Oct 21 12:07:47 2015 +0200
committer	Manuel Pégourié-Gonnard <mpg2@elzevir.fr>	Tue Oct 27 11:47:37 2015 +0100
tree	6f7afa8a983faa415a3b3fd4094c0b0c2d13306d
parent	215a14bf29c5eac125ab986adefa37bb4fbc5284 [diff] [blame]