File opensc-oberthur-overflow1.patch of Package opensc.33736

Overview Repositories Revisions Requests Users Attributes Meta

File opensc-oberthur-overflow1.patch of Package opensc.33736

From 17d8980cde7be597afc366b7e311d0d7cadcb1f4 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 3 Feb 2021 21:46:15 +0100
Subject: [PATCH 1/5] oberthur: Avoid two buffer overflows

Thanks oss-fuzz

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30112
---
 src/libopensc/pkcs15-oberthur.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

Index: opensc-0.19.0/src/libopensc/pkcs15-oberthur.c
===================================================================
--- opensc-0.19.0.orig/src/libopensc/pkcs15-oberthur.c
+++ opensc-0.19.0/src/libopensc/pkcs15-oberthur.c
@@ -860,10 +860,14 @@ sc_pkcs15emu_oberthur_add_data(struct sc
 	offs = 2;
 
 	/* Label */
-	if (offs > info_len)
+	if (offs + 2 > info_len)
 		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'label'");
 	label = info_blob + offs + 2;
 	label_len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
+	if (offs + 2 + label_len > info_len) {
+		free(info_blob);
+		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid length of 'label' received");
+	}
 	if (label_len > sizeof(dobj.label) - 1)
 		label_len = sizeof(dobj.label) - 1;
 	offs += 2 + *(info_blob + offs + 1);
@@ -878,7 +882,7 @@ sc_pkcs15emu_oberthur_add_data(struct sc
 	offs += 2 + app_len;
 
 	/* OID encode like DER(ASN.1(oid)) */
-	if (offs > info_len)
+	if (offs + 1 > info_len)
 		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'OID'");
 	oid_len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
 	if (oid_len)   {

Places

File opensc-oberthur-overflow1.patch of Package opensc.33736

Places