summaryrefslogtreecommitdiff
path: root/Userland/Libraries/LibCrypto
diff options
context:
space:
mode:
authorAnotherTest <ali.mpfard@gmail.com>2021-03-08 10:50:40 +0330
committerAndreas Kling <kling@serenityos.org>2021-03-08 08:32:07 +0100
commit8cc279ed74dc0b16a187052d2454c26c8c6ecaf2 (patch)
tree593c8050e4630d6d71bd1f49c2ff3f3605ef23cf /Userland/Libraries/LibCrypto
parentf9f9cda025e6116ee4f1cd37ad1d1452bff2c798 (diff)
downloadserenity-8cc279ed74dc0b16a187052d2454c26c8c6ecaf2.zip
LibCrypto: Fail with overflow when bitfield has too many unused bits
There cannot be more unused bits than the entirety of the input. Found by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31706#c1
Diffstat (limited to 'Userland/Libraries/LibCrypto')
-rw-r--r--Userland/Libraries/LibCrypto/ASN1/DER.cpp7
1 files changed, 6 insertions, 1 deletions
diff --git a/Userland/Libraries/LibCrypto/ASN1/DER.cpp b/Userland/Libraries/LibCrypto/ASN1/DER.cpp
index 1fcbbc113b..d09c7ee87e 100644
--- a/Userland/Libraries/LibCrypto/ASN1/DER.cpp
+++ b/Userland/Libraries/LibCrypto/ASN1/DER.cpp
@@ -196,7 +196,12 @@ Result<const BitmapView, DecodeError> Decoder::decode_bit_string(ReadonlyBytes d
return DecodeError::InvalidInputFormat;
auto unused_bits = data[0];
- return BitmapView { const_cast<u8*>(data.offset_pointer(1)), data.size() * 8 - unused_bits };
+ auto total_size_in_bits = data.size() * 8;
+
+ if (unused_bits > total_size_in_bits)
+ return DecodeError::Overflow;
+
+ return BitmapView { const_cast<u8*>(data.offset_pointer(1)), total_size_in_bits - unused_bits };
}
Result<Tag, DecodeError> Decoder::peek()