File libtasn1-CVE-2016-4008-1.patch of Package libtasn1.2708

From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Mon, 4 Apr 2016 13:06:21 +0000 (+0200)
Subject: _asn1_extract_der_octet: catch invalid input cases early
X-Git-Tag: libtasn1_4_8~22
X-Git-Url: http://git.savannah.gnu.org/gitweb/?p=libtasn1.git;a=commitdiff_plain;h=f435825c0f527a8e52e6ffbc3ad0bc60531d537e;hp=d3ca1b00bd920191f1e15a530a45c19bc3ebd0ef

_asn1_extract_der_octet: catch invalid input cases early

That is, check the calculated lengths for validity prior
to entering a loop. This avoids an infinite recursion.
Reported by Pascal Cuoq.
---

diff --git a/lib/decoding.c b/lib/decoding.c
index 4fa045c..6fd60d0 100644
--- a/lib/decoding.c
+++ b/lib/decoding.c
@@ -767,10 +767,17 @@ _asn1_extract_der_octet (asn1_node node, const unsigned char *der,
   DECR_LEN(der_len, len3);
 
   if (len2 == -1)
-    counter_end = der_len - 2;
+    {
+      if (der_len < 2)
+        return ASN1_DER_ERROR;
+      counter_end = der_len - 2;
+    }
   else
     counter_end = der_len;
 
+  if (counter_end < counter)
+    return ASN1_DER_ERROR;
+
   while (counter < counter_end)
     {
       DECR_LEN(der_len, 1);