From: Thomas Pornin <pornin@bolet.org>
Date: Sat, 20 Jul 2019 14:36:36 +0000 (-0400)
Subject: Fixed buffer overflow in private key decoding (wrong buffer length used in size check).
X-Git-Url: https://www.bearssl.org/gitweb//home/git/?p=BearSSL;a=commitdiff_plain;h=b715b43e411dc5d5949df6f75ef7bb65952db11c;ds=sidebyside

Fixed buffer overflow in private key decoding (wrong buffer length used in size check).
---

diff --git a/src/x509/skey_decoder.c b/src/x509/skey_decoder.c
index f4e43e7..9e285d7 100644
--- a/src/x509/skey_decoder.c
+++ b/src/x509/skey_decoder.c
@@ -155,7 +155,7 @@ static const unsigned char t0_codeblock[] = {
 	0x02, 0x06, 0x1E, 0x00, 0x00, 0x19, 0x19, 0x00, 0x00, 0x01, 0x0B, 0x00,
 	0x00, 0x01, 0x00, 0x20, 0x14, 0x06, 0x08, 0x01, 0x01, 0x21, 0x20, 0x22,
 	0x20, 0x04, 0x75, 0x13, 0x00, 0x00, 0x01,
-	T0_INT2(3 * BR_X509_BUFSIZE_KEY), 0x00, 0x01, 0x01, 0x87, 0xFF, 0xFF,
+	T0_INT2(3 * BR_X509_BUFSIZE_SIG), 0x00, 0x01, 0x01, 0x87, 0xFF, 0xFF,
 	0x7F, 0x54, 0x57, 0x01, 0x02, 0x3E, 0x55, 0x01, 0x01, 0x0E, 0x06, 0x02,
 	0x30, 0x16, 0x57, 0x01, 0x02, 0x19, 0x0D, 0x06, 0x06, 0x13, 0x3B, 0x44,
 	0x32, 0x04, 0x1C, 0x01, 0x04, 0x19, 0x0D, 0x06, 0x08, 0x13, 0x3B, 0x01,
diff --git a/src/x509/skey_decoder.t0 b/src/x509/skey_decoder.t0
index 5b59421..f00e614 100644
--- a/src/x509/skey_decoder.t0
+++ b/src/x509/skey_decoder.t0
@@ -80,7 +80,7 @@ cc: read-blob-inner ( addr len -- addr len ) {
 
 \ Get the length of the key_data buffer.
 : len-key_data
-	CX 0 8191 { 3 * BR_X509_BUFSIZE_KEY } ;
+	CX 0 8191 { 3 * BR_X509_BUFSIZE_SIG } ;
 
 \ Get the address and length for the key_data buffer.
 : addr-len-key_data ( -- addr len )