aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2017-04-13 14:46:52 -0400
committerJack Lloyd <[email protected]>2017-04-13 14:46:52 -0400
commit92a888921a877e73951b6c256429bfae0356b22f (patch)
treedf5024aaef4d5f3288d4d18ac7a1a720f040c8dc /src
parent4737338d1810c3a8934d83a2579c3772afe53768 (diff)
parentcd72f4ac0bfc6ff5ecafb804e6c61c8d2902d6c4 (diff)
Merge GH #989 Avoid recursion in BER_Decoder::get_next_object
Diffstat (limited to 'src')
-rw-r--r--src/lib/asn1/ber_dec.cpp27
-rw-r--r--src/tests/test_asn1.cpp67
2 files changed, 83 insertions, 11 deletions
diff --git a/src/lib/asn1/ber_dec.cpp b/src/lib/asn1/ber_dec.cpp
index 7b2147600..bf728a8e8 100644
--- a/src/lib/asn1/ber_dec.cpp
+++ b/src/lib/asn1/ber_dec.cpp
@@ -218,20 +218,25 @@ BER_Object BER_Decoder::get_next_object()
return next;
}
- decode_tag(m_source, next.type_tag, next.class_tag);
- if(next.type_tag == NO_OBJECT)
- return next;
+ for(;;)
+ {
+ decode_tag(m_source, next.type_tag, next.class_tag);
+ if(next.type_tag == NO_OBJECT)
+ return next;
- const size_t length = decode_length(m_source);
- if(!m_source->check_available(length))
- throw BER_Decoding_Error("Value truncated");
+ const size_t length = decode_length(m_source);
+ if(!m_source->check_available(length))
+ throw BER_Decoding_Error("Value truncated");
- next.value.resize(length);
- if(m_source->read(next.value.data(), length) != length)
- throw BER_Decoding_Error("Value truncated");
+ next.value.resize(length);
+ if(m_source->read(next.value.data(), length) != length)
+ throw BER_Decoding_Error("Value truncated");
- if(next.type_tag == EOC && next.class_tag == UNIVERSAL)
- return get_next_object();
+ if(next.type_tag == EOC && next.class_tag == UNIVERSAL)
+ continue;
+ else
+ break;
+ }
return next;
}
diff --git a/src/tests/test_asn1.cpp b/src/tests/test_asn1.cpp
new file mode 100644
index 000000000..3427d391d
--- /dev/null
+++ b/src/tests/test_asn1.cpp
@@ -0,0 +1,67 @@
+/*
+* (C) 2017 Jack Lloyd
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#include "tests.h"
+
+#if defined(BOTAN_HAS_ASN1)
+ #include <botan/der_enc.h>
+ #include <botan/ber_dec.h>
+#endif
+
+namespace Botan_Tests {
+
+#if defined(BOTAN_HAS_ASN1)
+
+namespace {
+
+Test::Result test_ber_stack_recursion()
+ {
+ Test::Result result("BER stack recursion");
+
+ // OSS-Fuzz #813 GitHub #989
+
+ try
+ {
+ const std::vector<uint8_t> in(10000000, 0);
+ Botan::DataSource_Memory input(in.data(), in.size());
+ Botan::BER_Decoder dec(input);
+
+ while(dec.more_items())
+ {
+ Botan::BER_Object obj;
+ dec.get_next(obj);
+ }
+ }
+ catch(Botan::Decoding_Error&)
+ {
+ }
+
+ result.test_success("No crash");
+
+ return result;
+ }
+
+}
+
+class ASN1_Tests : public Test
+ {
+ public:
+ std::vector<Test::Result> run() override
+ {
+ std::vector<Test::Result> results;
+
+ results.push_back(test_ber_stack_recursion());
+
+ return results;
+ }
+ };
+
+BOTAN_REGISTER_TEST("asn1", ASN1_Tests);
+
+#endif
+
+}
+