Fix potential random malloc in pem_read()
diff --git a/ChangeLog b/ChangeLog
index 329e563..89caddb 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -11,6 +11,10 @@
but might be in other uses. On 32 bit machines, requires reading a string
of close to or larger than 1GB to exploit; on 64 bit machines, would require
reading a string of close to or larger than 2^62 bytes.
+ * Fix potential random memory allocation in mbedtls_pem_read_buffer()
+ on crafted PEM input data. Found an fix provided by Guid Vranken.
+ Not triggerable remotely in TLS. Triggerable remotely if you accept PEM
+ data from an untrusted source.
= mbed TLS 1.3.13 reladsed 2015-09-17
diff --git a/library/base64.c b/library/base64.c
index ac922a4..2f7bb14 100644
--- a/library/base64.c
+++ b/library/base64.c
@@ -190,7 +190,10 @@
}
if( n == 0 )
+ {
+ *dlen = 0;
return( 0 );
+ }
n = ( ( n * 6 ) + 7 ) >> 3;
n -= j;
diff --git a/library/pem.c b/library/pem.c
index 5060484..054fcff 100644
--- a/library/pem.c
+++ b/library/pem.c
@@ -317,6 +317,9 @@
( POLARSSL_AES_C || POLARSSL_DES_C ) */
}
+ if( s1 == s2 )
+ return( POLARSSL_ERR_PEM_INVALID_DATA );
+
len = 0;
ret = base64_decode( NULL, &len, s1, s2 - s1 );