From 06a93345fb715dfaefbdb5774ec66eff46fdfaa3 Mon Sep 17 00:00:00 2001
From: Jack Lloyd <jack@randombit.net>
Date: Wed, 23 Nov 2016 12:46:45 -0500
Subject: Check for overflow in BER decoder EOC scanning

---
 src/lib/asn1/ber_dec.cpp |  5 ++++-
 src/lib/utils/info.txt   |  3 ++-
 src/lib/utils/safeint.h  | 39 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 45 insertions(+), 2 deletions(-)
 create mode 100644 src/lib/utils/safeint.h

(limited to 'src/lib')

diff --git a/src/lib/asn1/ber_dec.cpp b/src/lib/asn1/ber_dec.cpp
index ac676cd08..81c04aa6a 100644
--- a/src/lib/asn1/ber_dec.cpp
+++ b/src/lib/asn1/ber_dec.cpp
@@ -9,6 +9,7 @@
 #include <botan/ber_dec.h>
 #include <botan/bigint.h>
 #include <botan/loadstor.h>
+#include <botan/internal/safeint.h>
 
 namespace Botan {
 
@@ -126,7 +127,9 @@ size_t find_eoc(DataSource* ber)
       size_t item_size = decode_length(&source, length_size);
       source.discard_next(item_size);
 
-      length += item_size + length_size + tag_size;
+      length = BOTAN_CHECKED_ADD(length, item_size);
+      length = BOTAN_CHECKED_ADD(length, tag_size);
+      length = BOTAN_CHECKED_ADD(length, length_size);
 
       if(type_tag == EOC && class_tag == UNIVERSAL)
          break;
diff --git a/src/lib/utils/info.txt b/src/lib/utils/info.txt
index 820dd407d..306e6e9ad 100644
--- a/src/lib/utils/info.txt
+++ b/src/lib/utils/info.txt
@@ -1,4 +1,4 @@
-define UTIL_FUNCTIONS 20150919
+define UTIL_FUNCTIONS 20161127
 
 load_on always
 
@@ -31,6 +31,7 @@ filesystem.h
 os_utils.h
 prefetch.h
 rounding.h
+safeint.h
 semaphore.h
 stl_util.h
 </header:internal>
diff --git a/src/lib/utils/safeint.h b/src/lib/utils/safeint.h
new file mode 100644
index 000000000..e0bd66232
--- /dev/null
+++ b/src/lib/utils/safeint.h
@@ -0,0 +1,39 @@
+/*
+* Safe(r) Integer Handling
+* (C) 2016 Jack Lloyd
+*
+* Botan is released under the Simplified BSD License (see license.txt)
+*/
+
+#ifndef BOTAN_UTILS_SAFE_INT_H__
+#define BOTAN_UTILS_SAFE_INT_H__
+
+#include <botan/exceptn.h>
+#include <string>
+
+namespace Botan {
+
+class Integer_Overflow_Detected : public Exception
+   {
+   public:
+      Integer_Overflow_Detected(const std::string& file, int line) :
+         Exception("Integer overflow detected at " + file + ":" + std::to_string(line))
+         {}
+   };
+
+inline size_t checked_add(size_t x, size_t y, const char* file, int line)
+   {
+   // TODO: use __builtin_x_overflow on GCC and Clang
+   size_t z = x + y;
+   if(z < x)
+      {
+      throw Integer_Overflow_Detected(file, line);
+      }
+   return z;
+   }
+
+#define BOTAN_CHECKED_ADD(x,y) checked_add(x,y,__FILE__,__LINE__)
+
+}
+
+#endif
-- 
cgit v1.2.3