From: z2_ <88509734+z2-2z@users.noreply.github.com>
Date: Thu, 5 Aug 2021 19:08:37 +0000 (+0200)
Subject: x509asn1: fix heap over-read when parsing x509 certificates
X-Git-Tag: curl-7_79_0~115
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5f3ca7f77395367ad74e91785c7ca0ccb6c927ba;p=thirdparty%2Fcurl.git

x509asn1: fix heap over-read when parsing x509 certificates

Assisted-by: Patrick Monnerat
Closes #7536
---

diff --git a/lib/x509asn1.c b/lib/x509asn1.c
index c70378daca..9c3342dfcd 100644
--- a/lib/x509asn1.c
+++ b/lib/x509asn1.c
@@ -34,6 +34,7 @@
 #include "inet_pton.h"
 #include "curl_base64.h"
 #include "x509asn1.h"
+#include "dynbuf.h"
 
 /* The last 3 #include files should be in this order */
 #include "curl_printf.h"
@@ -205,16 +206,16 @@ static const char *bool2str(const char *beg, const char *end)
  */
 static const char *octet2str(const char *beg, const char *end)
 {
-  size_t n = end - beg;
-  char *buf = NULL;
+  struct dynbuf buf;
+  CURLcode result;
 
-  if(n <= (SIZE_T_MAX - 1) / 3) {
-    buf = malloc(3 * n + 1);
-    if(buf)
-      for(n = 0; beg < end; n += 3)
-        msnprintf(buf + n, 4, "%02x:", *(const unsigned char *) beg++);
-  }
-  return buf;
+  Curl_dyn_init(&buf, 3 * CURL_ASN1_MAX + 1);
+  result = Curl_dyn_addn(&buf, "", 0);
+
+  while(!result && beg < end)
+    result = Curl_dyn_addf(&buf, "%02x:", (unsigned char) *beg++);
+
+  return Curl_dyn_ptr(&buf);
 }
 
 static const char *bit2str(const char *beg, const char *end)