From 627cc23769dc574ca13e6fd6e1af1ab34b5bb575 Mon Sep 17 00:00:00 2001
From: Victor Julien <victor@inliniac.net>
Date: Sun, 3 Nov 2019 09:50:14 +0100
Subject: [PATCH] detect/asn1: fix offset bounds checking

---
 src/detect-asn1.c | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/src/detect-asn1.c b/src/detect-asn1.c
index 524bd97868..c4f0cb1f18 100644
--- a/src/detect-asn1.c
+++ b/src/detect-asn1.c
@@ -148,21 +148,23 @@ static int DetectAsn1Match(DetectEngineThreadCtx *det_ctx, Packet *p,
     }
 
     const DetectAsn1Data *ad = (const DetectAsn1Data *)ctx;
-
-    Asn1Ctx *ac = SCAsn1CtxNew();
-    if (ac == NULL)
-        return 0;
-
+    int32_t offset;
     if (ad->flags & ASN1_ABSOLUTE_OFFSET) {
-        SCAsn1CtxInit(ac, p->payload + ad->absolute_offset,
-                      p->payload_len - ad->absolute_offset);
+        offset = ad->absolute_offset;
     } else if (ad->flags & ASN1_RELATIVE_OFFSET) {
-        SCAsn1CtxInit(ac, p->payload + ad->relative_offset,
-                      p->payload_len - ad->relative_offset);
+        offset = ad->relative_offset;
     } else {
-        SCAsn1CtxInit(ac, p->payload, p->payload_len);
+        offset = 0;
     }
+    if (offset >= (int32_t)p->payload_len) {
+        return 0;
+    }
+
+    Asn1Ctx *ac = SCAsn1CtxNew();
+    if (ac == NULL)
+        return 0;
 
+    SCAsn1CtxInit(ac, p->payload + offset, p->payload_len - offset);
     SCAsn1Decode(ac, ac->cur_frame);
 
     /* Ok, now we have all the data. Let's check the nodes */
-- 
2.47.2