PR/6: tobias: out of boundary read in DER parser

diff --git a/src/der.c b/src/der.c
index 5ff6decce60f5b7b1bd32383b75b316130ae878b..d017b63983f0979162bdbf3ca6277348e7e55e8b 100644 (file)
--- a/src/der.c
+++ b/src/der.c
@@ -35,7 +35,7 @@
 #include "file.h"
 
 #ifndef lint
-FILE_RCSID("@(#)$File: der.c,v 1.11 2016/11/07 15:51:23 christos Exp $")
+FILE_RCSID("@(#)$File: der.c,v 1.13 2018/06/23 15:15:26 christos Exp $")
 #endif
 #endif
 
@@ -199,7 +199,7 @@ getlength(const uint8_t *c, size_t *p, size_t l)
        for (i = 0; i < digits; i++)
                len = (len << 8) | c[(*p)++];
 
-       if (*p + len >= l)
+       if (len > UINT32_MAX - *p || *p + len >= l)
                return DER_BAD;
        return CAST(uint32_t, len);
 }