From f9ac42b36f0dab7cf9325202425f20ef4ca0ebfe Mon Sep 17 00:00:00 2001
From: Mats Klepsland <mats.klepsland@gmail.com>
Date: Thu, 31 Mar 2016 16:15:26 +0200
Subject: [PATCH] util-decode-der: fix NULL dereference bug

Make sure that the length is not longer than the size of the buffer
provided.
---
 src/util-decode-der.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/util-decode-der.c b/src/util-decode-der.c
index 67e7b0dda9..040e214b40 100644
--- a/src/util-decode-der.c
+++ b/src/util-decode-der.c
@@ -216,6 +216,12 @@ static Asn1Generic * DecodeAsn1DerGeneric(const unsigned char *buffer, uint32_t
              * sequence parsing will fail
              */
             child->length += (d_ptr - save_d_ptr);
+
+            if (child->length > max_size - (d_ptr - buffer)) {
+                SCFree(child);
+                return NULL;
+            }
+
             break;
     };
     if (child == NULL)
-- 
2.47.2