Fix two crashes in the BER decoder found with afl.

One a read at 0 of an empty vector, the other causing allocation of an arbitrary amount of memory.
author: Jack Lloyd <[email protected]> 2015-08-02 23:43:12 -0400
committer: Jack Lloyd <[email protected]> 2015-08-02 23:43:12 -0400
commit: 392ce7db1eccf5e2eacb074195ea7f5016f70259 (patch)
tree: 49aa67753d35e5ae56feac3b67cc55b7274a53da /doc
parent: 8e19ecf11c2c50b5a2d6642477d729091409fec8 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/news.rst b/doc/news.rst
index 970af882e..312bfdca6 100644
--- a/doc/news.rst
+++ b/doc/news.rst
@@ -4,6 +4,16 @@ Release Notes
 Version 1.11.19, Not Yet Released
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
+* SECURIY: The BER decoder would crash due to reading from offset 0 of
+  an empty vector if it encountered a BIT STRING which did not contain
+  any data at all. As the type requires a 1 byte field this is not
+  valid BER but could occur in malformed data. Found with afl.
+
+* SECURITY: The BER decoder would allocate a fairly arbitrary amount
+  of memory in a length field, even if there was no chance the read
+  request would succeed. This might cause the process to run out of
+  memory or invoke the OOM killer. Found with afl.
+
 * The TLS heartbeat extension is deprecated and unless strong arguments
   are raised in its favor it will be removed in a future release.
   Comment at https://github.com/randombit/botan/issues/187
author	Jack Lloyd <[email protected]>	2015-08-02 23:43:12 -0400
committer	Jack Lloyd <[email protected]>	2015-08-02 23:43:12 -0400
commit	392ce7db1eccf5e2eacb074195ea7f5016f70259 (patch)
tree	49aa67753d35e5ae56feac3b67cc55b7274a53da /doc
parent	8e19ecf11c2c50b5a2d6642477d729091409fec8 (diff)