X-Git-Url: https://www.bearssl.org/gitweb//home/git/?p=BearSSL;a=blobdiff_plain;f=src%2Fec%2Fecdsa_i31_vrfy_asn1.c;h=4161aaaa3efffe4a0039613baca37b681ede576b;hp=e98b779c51171d6bebc8c47a44c172e0b75c0707;hb=d021b7eb7fada2acbe16b1b56f6e2cbdf8eee362;hpb=3210f38e0491b39aec1ef419cb4114e9483089fb

diff --git a/src/ec/ecdsa_i31_vrfy_asn1.c b/src/ec/ecdsa_i31_vrfy_asn1.c
index e98b779..4161aaa 100644
--- a/src/ec/ecdsa_i31_vrfy_asn1.c
+++ b/src/ec/ecdsa_i31_vrfy_asn1.c
@@ -33,9 +33,13 @@ br_ecdsa_i31_vrfy_asn1(const br_ec_impl *impl,
 	const br_ec_public_key *pk,
 	const void *sig, size_t sig_len)
 {
-	unsigned char rsig[(FIELD_LEN << 1) + 12];
+	/*
+	 * We use a double-sized buffer because a malformed ASN.1 signature
+	 * may trigger a size expansion when converting to "raw" format.
+	 */
+	unsigned char rsig[(FIELD_LEN << 2) + 24];
 
-	if (sig_len > sizeof rsig) {
+	if (sig_len > ((sizeof rsig) >> 1)) {
 		return 0;
 	}
 	memcpy(rsig, sig, sig_len);