LibCrypto: Fail with overflow when bitfield has too many unused bits

There cannot be more unused bits than the entirety of the input. Found by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31706#c1
author: AnotherTest <ali.mpfard@gmail.com> 2021-03-08 10:50:40 +0330
committer: Andreas Kling <kling@serenityos.org> 2021-03-08 08:32:07 +0100
commit: 8cc279ed74dc0b16a187052d2454c26c8c6ecaf2 (patch)
tree: 593c8050e4630d6d71bd1f49c2ff3f3605ef23cf
parent: f9f9cda025e6116ee4f1cd37ad1d1452bff2c798 (diff)
download: serenity-8cc279ed74dc0b16a187052d2454c26c8c6ecaf2.zip
1 files changed, 6 insertions, 1 deletions
diff --git a/Userland/Libraries/LibCrypto/ASN1/DER.cpp b/Userland/Libraries/LibCrypto/ASN1/DER.cpp
index 1fcbbc113b..d09c7ee87e 100644
--- a/Userland/Libraries/LibCrypto/ASN1/DER.cpp
+++ b/Userland/Libraries/LibCrypto/ASN1/DER.cpp
@@ -196,7 +196,12 @@ Result<const BitmapView, DecodeError> Decoder::decode_bit_string(ReadonlyBytes d
         return DecodeError::InvalidInputFormat;
 
     auto unused_bits = data[0];
-    return BitmapView { const_cast<u8*>(data.offset_pointer(1)), data.size() * 8 - unused_bits };
+    auto total_size_in_bits = data.size() * 8;
+
+    if (unused_bits > total_size_in_bits)
+        return DecodeError::Overflow;
+
+    return BitmapView { const_cast<u8*>(data.offset_pointer(1)), total_size_in_bits - unused_bits };
 }
 
 Result<Tag, DecodeError> Decoder::peek()
author	AnotherTest <ali.mpfard@gmail.com>	2021-03-08 10:50:40 +0330
committer	Andreas Kling <kling@serenityos.org>	2021-03-08 08:32:07 +0100
commit	8cc279ed74dc0b16a187052d2454c26c8c6ecaf2 (patch)
tree	593c8050e4630d6d71bd1f49c2ff3f3605ef23cf
parent	f9f9cda025e6116ee4f1cd37ad1d1452bff2c798 (diff)
download	serenity-8cc279ed74dc0b16a187052d2454c26c8c6ecaf2.zip