mirror of
https://github.com/golang/go
synced 2024-11-23 10:30:03 -07:00
encoding/asn1: fix off-by-one in parseBase128Int.
parseBase128Int compares |shifted| with four, seemingly to ensure the result fits in an int32 on 32-bit platforms where int is 32-bit. However, there is an off-by-one in this logic, so it actually allows five shifts, making the maximum tag number or OID component 2^35-1. Fix this so the maximum is 2^28-1 which should be plenty for OID components and tag numbers while not overflowing on 32-bit platforms. Change-Id: If825b30cc53a0fc08e68ea1a24d265e7eb1a13a4 Reviewed-on: https://go-review.googlesource.com/18225 Reviewed-by: Adam Langley <agl@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Reviewed-by: Russ Cox <rsc@golang.org>
This commit is contained in:
parent
ace1738f9c
commit
7f96e266ec
@ -294,7 +294,7 @@ type Flag bool
|
||||
func parseBase128Int(bytes []byte, initOffset int) (ret, offset int, err error) {
|
||||
offset = initOffset
|
||||
for shifted := 0; offset < len(bytes); shifted++ {
|
||||
if shifted > 4 {
|
||||
if shifted == 4 {
|
||||
err = StructuralError{"base 128 integer too large"}
|
||||
return
|
||||
}
|
||||
|
@ -380,6 +380,8 @@ var tagAndLengthData = []tagAndLengthTest{
|
||||
{[]byte{0xa0, 0x84, 0x80, 0x00, 0x00, 0x00}, false, tagAndLength{}},
|
||||
// Long length form may not be used for lengths that fit in short form.
|
||||
{[]byte{0xa0, 0x81, 0x7f}, false, tagAndLength{}},
|
||||
// Tag numbers which would overflow int32 are rejected. (The value below is 2^31.)
|
||||
{[]byte{0x1f, 0x88, 0x80, 0x80, 0x80, 0x00, 0x00}, false, tagAndLength{}},
|
||||
}
|
||||
|
||||
func TestParseTagAndLength(t *testing.T) {
|
||||
|
Loading…
Reference in New Issue
Block a user