From: Jay Satiro <raysatiro@yahoo.com>
Date: Fri, 25 Nov 2016 00:43:20 +0000 (-0500)
Subject: x509asn1: Restore the parameter check in Curl_getASN1Element
X-Git-Tag: curl-7_52_0~82
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2127457018d22034cb5ea977db654bd603078fc9;p=thirdparty%2Fcurl.git

x509asn1: Restore the parameter check in Curl_getASN1Element

- Restore the removed parts of the parameter check.

Follow-up to 945f60e which altered the parameter check.
---

diff --git a/lib/x509asn1.c b/lib/x509asn1.c
index 96794d77ea..acd98e4928 100644
--- a/lib/x509asn1.c
+++ b/lib/x509asn1.c
@@ -41,7 +41,7 @@
 #include "memdebug.h"
 
 /* For overflow checks. */
-#define CURL_SIZE_T_MAX         ((size_t) ~0)
+#define CURL_SIZE_T_MAX         ((size_t)-1)
 
 
 /* ASN.1 OIDs. */
@@ -119,8 +119,8 @@ const char *Curl_getASN1Element(curl_asn1Element *elem,
      ending at `end'.
      Returns a pointer in source string after the parsed element, or NULL
      if an error occurs. */
-
-  if(!beg || !end || (size_t) (end - beg) > CURL_ASN1_MAX)
+  if(!beg || !end || beg >= end || !*beg ||
+     (size_t)(end - beg) > CURL_ASN1_MAX)
     return (const char *) NULL;
 
   /* Process header byte. */
@@ -155,7 +155,7 @@ const char *Curl_getASN1Element(curl_asn1Element *elem,
     elem->end = beg;
     return beg + 1;
   }
-  else if(beg + b > end)
+  else if((unsigned)b > (size_t)(end - beg))
     return (const char *) NULL; /* Does not fit in source. */
   else {
     /* Get long length. */
@@ -166,7 +166,7 @@ const char *Curl_getASN1Element(curl_asn1Element *elem,
       len = (len << 8) | (unsigned char) *beg++;
     } while(--b);
   }
-  if((unsigned long) (end - beg) < len)
+  if(len > (size_t)(end - beg))
     return (const char *) NULL;  /* Element data does not fit in source. */
   elem->beg = beg;
   elem->end = beg + len;