blob: 9a8ceecbe786842563b9ef942cb805a62dac9e60 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
From 22fd12b290adea788122044cb58dc9e77754644f Mon Sep 17 00:00:00 2001
From: Vivek Kumbhar <vkumbhar@mvista.com>
Date: Thu, 17 Nov 2022 12:07:50 +0530
Subject: [PATCH] CVE-2021-46848
Upstream-Status: Backport [https://gitlab.com/gnutls/libtasn1/-/commit/44a700d2051a666235748970c2df047ff207aeb5]
CVE: CVE-2021-46848
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Fix ETYPE_OK off by one array size check.
---
NEWS | 4 ++++
lib/int.h | 2 +-
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/NEWS b/NEWS
index f042481..d8f684e 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,9 @@
GNU Libtasn1 NEWS -*- outline -*-
+* Noteworthy changes in release ?.? (????-??-??) [?]
+- Fix ETYPE_OK out of bounds read. Closes: #32.
+- Update gnulib files and various maintenance fixes.
+
* Noteworthy changes in release 4.16.0 (released 2020-02-01) [stable]
- asn1_decode_simple_ber: added support for constructed definite
octet strings. This allows this function decode the whole set of
diff --git a/lib/int.h b/lib/int.h
index ea16257..c877282 100644
--- a/lib/int.h
+++ b/lib/int.h
@@ -97,7 +97,7 @@ typedef struct tag_and_class_st
#define ETYPE_TAG(etype) (_asn1_tags[etype].tag)
#define ETYPE_CLASS(etype) (_asn1_tags[etype].class)
#define ETYPE_OK(etype) (((etype) != ASN1_ETYPE_INVALID && \
- (etype) <= _asn1_tags_size && \
+ (etype) < _asn1_tags_size && \
_asn1_tags[(etype)].desc != NULL)?1:0)
#define ETYPE_IS_STRING(etype) ((etype == ASN1_ETYPE_GENERALSTRING || \
--
2.25.1
|