Check for overflow in BER decoder EOC scanning

author: Jack Lloyd <[email protected]> 2016-11-23 12:46:45 -0500
committer: Jack Lloyd <[email protected]> 2016-11-27 16:49:17 -0500
commit: 06a93345fb715dfaefbdb5774ec66eff46fdfaa3 (patch)
tree: 71b10f2c036d54b470c283168b50466bcdec5045 /src/lib/asn1
parent: f11d1bf525d1c77514bac61b309bd604c92acbfd (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/src/lib/asn1/ber_dec.cpp b/src/lib/asn1/ber_dec.cpp
index ac676cd08..81c04aa6a 100644
--- a/src/lib/asn1/ber_dec.cpp
+++ b/src/lib/asn1/ber_dec.cpp
@@ -9,6 +9,7 @@
 #include <botan/ber_dec.h>
 #include <botan/bigint.h>
 #include <botan/loadstor.h>
+#include <botan/internal/safeint.h>
 
 namespace Botan {
 
@@ -126,7 +127,9 @@ size_t find_eoc(DataSource* ber)
       size_t item_size = decode_length(&source, length_size);
       source.discard_next(item_size);
 
-      length += item_size + length_size + tag_size;
+      length = BOTAN_CHECKED_ADD(length, item_size);
+      length = BOTAN_CHECKED_ADD(length, tag_size);
+      length = BOTAN_CHECKED_ADD(length, length_size);
 
       if(type_tag == EOC && class_tag == UNIVERSAL)
          break;
author	Jack Lloyd <[email protected]>	2016-11-23 12:46:45 -0500
committer	Jack Lloyd <[email protected]>	2016-11-27 16:49:17 -0500
commit	06a93345fb715dfaefbdb5774ec66eff46fdfaa3 (patch)
tree	71b10f2c036d54b470c283168b50466bcdec5045 /src/lib/asn1
parent	f11d1bf525d1c77514bac61b309bd604c92acbfd (diff)