1
0
mirror of https://github.com/golang/go synced 2024-11-12 10:20:27 -07:00

encoding/asn1: fix off-by-one in parseBase128Int.

parseBase128Int compares |shifted| with four, seemingly to ensure the result
fits in an int32 on 32-bit platforms where int is 32-bit. However, there is an
off-by-one in this logic, so it actually allows five shifts, making the maximum
tag number or OID component 2^35-1.

Fix this so the maximum is 2^28-1 which should be plenty for OID components and
tag numbers while not overflowing on 32-bit platforms.

Change-Id: If825b30cc53a0fc08e68ea1a24d265e7eb1a13a4
Reviewed-on: https://go-review.googlesource.com/18225
Reviewed-by: Adam Langley <agl@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>
This commit is contained in:
David Benjamin 2016-01-04 16:16:28 -08:00 committed by Russ Cox
parent ace1738f9c
commit 7f96e266ec
2 changed files with 3 additions and 1 deletions

View File

@ -294,7 +294,7 @@ type Flag bool
func parseBase128Int(bytes []byte, initOffset int) (ret, offset int, err error) {
offset = initOffset
for shifted := 0; offset < len(bytes); shifted++ {
if shifted > 4 {
if shifted == 4 {
err = StructuralError{"base 128 integer too large"}
return
}

View File

@ -380,6 +380,8 @@ var tagAndLengthData = []tagAndLengthTest{
{[]byte{0xa0, 0x84, 0x80, 0x00, 0x00, 0x00}, false, tagAndLength{}},
// Long length form may not be used for lengths that fit in short form.
{[]byte{0xa0, 0x81, 0x7f}, false, tagAndLength{}},
// Tag numbers which would overflow int32 are rejected. (The value below is 2^31.)
{[]byte{0x1f, 0x88, 0x80, 0x80, 0x80, 0x00, 0x00}, false, tagAndLength{}},
}
func TestParseTagAndLength(t *testing.T) {