From: Tom Yu <tlyu@mit.edu>
Date: Sun, 11 Jul 1999 09:19:41 +0000 (+0000)
Subject: 	* asn1_decode.c (asn1_decode_integer): Fix to deal with overflows
X-Git-Tag: krb5-1.1-beta1~64
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=04440a6e90e94285441f414c77768d3726fdd0a5;p=krb5.git

	* asn1_decode.c (asn1_decode_integer): Fix to deal with overflows
 	and negative integers.
	(asn1_decode_unsigned_integer): Fix to deal with overflows and to
 	return errors on encountering negative integers.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11558 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/lib/krb5/asn.1/ChangeLog b/src/lib/krb5/asn.1/ChangeLog
index cc9f48985..50c7808aa 100644
--- a/src/lib/krb5/asn.1/ChangeLog
+++ b/src/lib/krb5/asn.1/ChangeLog
@@ -1,3 +1,10 @@
+Sat Jul 10 10:21:40 1999  Tom Yu  <chaoself@mit.edu>
+
+	* asn1_decode.c (asn1_decode_integer): Fix to deal with overflows
+ 	and negative integers.
+	(asn1_decode_unsigned_integer): Fix to deal with overflows and to
+ 	return errors on encountering negative integers.
+
 1999-07-06  Ken Raeburn  <raeburn@mit.edu>
 
 	* KRB5-asn.py (PA-SAM-RESPONSE): Fix syntax error -- comma
diff --git a/src/lib/krb5/asn.1/asn1_decode.c b/src/lib/krb5/asn.1/asn1_decode.c
index cb48c2e5b..189f7c082 100644
--- a/src/lib/krb5/asn.1/asn1_decode.c
+++ b/src/lib/krb5/asn.1/asn1_decode.c
@@ -58,14 +58,22 @@ asn1_error_code asn1_decode_integer(buf, val)
 {
   setup();
   asn1_octet o;
-  unsigned long n;
+  long n;
+  int i;
 
   tag(ASN1_INTEGER);
 
-  for(n=0; length > 0; length--){
-    retval = asn1buf_remove_octet(buf,&o);
-    if(retval) return retval;
-    n = (n<<8) + (unsigned int)o;
+  for (i = 0; i < length; i++) {
+    retval = asn1buf_remove_octet(buf, &o);
+    if (retval) return retval;
+    if (!i) {
+      n = (0x80 & o) ? -1 : 0;	/* grab sign bit */
+      if (n < 0 && length > sizeof (long))
+	return ASN1_OVERFLOW;
+      else if (length > sizeof (long) + 1) /* allow extra octet for positive */
+	return ASN1_OVERFLOW;
+    }
+    n = (n << 8) | o;
   }
   *val = n;
   cleanup();
@@ -78,13 +86,20 @@ asn1_error_code asn1_decode_unsigned_integer(buf, val)
   setup();
   asn1_octet o;
   unsigned long n;
+  int i;
 
   tag(ASN1_INTEGER);
 
-  for(n=0; length > 0; length--){
-    retval = asn1buf_remove_octet(buf,&o);
+  for (i = 0, n = 0; i < length; i++) {
+    retval = asn1buf_remove_octet(buf, &o);
     if(retval) return retval;
-    n = (n<<8) + (unsigned int)o;
+    if (!i) {
+      if (0x80 & o)
+	return ASN1_OVERFLOW;
+      else if (length > sizeof (long) + 1)
+	return ASN1_OVERFLOW;
+    }
+    n = (n << 8) | o;
   }
   *val = n;
   cleanup();