fix more oss-fuzz

2021-08-19 19:51:17 +08:00 · 2021-08-19 19:51:17 +08:00 · 1f1bd14459
commit 1f1bd14459
parent d4fd015189
13 changed files with 753 additions and 1 deletions
--- a/card-Correctly-free-pointers-durint-cache-invalidati.patch
+++ b/card-Correctly-free-pointers-durint-cache-invalidati.patch
@ -0,0 +1,32 @@
+From 61eb4e487e00ed6758a62f07222488c5ec5fdb42 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Mon, 30 Nov 2020 14:15:59 +0100
+Subject: [PATCH] card: Correctly free pointers durint cache invalidation
+
+As the whole structure is memset(0) on the following line,
+we need to clean the pointers before doing so.
+
+Thanks oss-fuzz
+
+Related to:
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27797
+---
+ src/libopensc/card.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libopensc/card.c b/src/libopensc/card.c
+index 0de8b7e..03c3cc8 100644
+--- a/src/libopensc/card.c
+++ b/src/libopensc/card.c
+@@ -1367,6 +1367,8 @@ scconf_block *sc_get_conf_block(sc_context_t *ctx, const char *name1, const char
+ void sc_invalidate_cache(struct sc_card *card)
+ {
+ 	if (card) {
+		sc_file_free(card->cache.current_ef);
+		sc_file_free(card->cache.current_df);
+ 		memset(&card->cache, 0, sizeof(card->cache));
+ 		card->cache.valid = 0;
+ 	}
+-- 
+1.8.3.1
+
--- a/cardos-Correctly-calculate-the-left-bytes-to-avoid-b.patch
+++ b/cardos-Correctly-calculate-the-left-bytes-to-avoid-b.patch
@ -0,0 +1,43 @@
+From 1252aca9f10771ef5ba8405e73cf2da50827958f Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 4 Feb 2021 13:11:01 +0100
+Subject: [PATCH] cardos: Correctly calculate the left bytes to avoid buffer
+ overrun
+
+Thanks oss-fuzz
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912
+---
+ src/libopensc/card-cardos.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c
+index 06dd3e3..2d50b8c 100644
+--- a/src/libopensc/card-cardos.c
+++ b/src/libopensc/card-cardos.c
+@@ -159,7 +159,7 @@ static int cardos_have_2048bit_package(sc_card_t *card)
+ 	sc_apdu_t apdu;
+         u8        rbuf[SC_MAX_APDU_BUFFER_SIZE];
+         int       r;
+-	const u8  *p = rbuf, *q;
+	const u8  *p = rbuf, *q, *pp;
+ 	size_t    len, tlen = 0, ilen = 0;
+ 
+ 	sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
+@@ -175,10 +175,10 @@ static int cardos_have_2048bit_package(sc_card_t *card)
+ 		return 0;
+ 
+ 	while (len != 0) {
+-		p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
+-		if (p == NULL)
+		pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
+		if (pp == NULL)
+ 			return 0;
+-		q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
+		q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
+ 		if (q == NULL || ilen != 4)
+ 			return 0;
+ 		if (q[0] == 0x1c)
+-- 
+1.8.3.1
+
--- a/iasecc-Avoid-another-memory-leak.patch
+++ b/iasecc-Avoid-another-memory-leak.patch
@ -0,0 +1,79 @@
+From 03cbf91be54e2b54dd87176d1136570610e32f3f Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Fri, 15 Jan 2021 13:40:34 +0100
+Subject: [PATCH] iasecc: Avoid another memory leak
+
+Thanks oss-fuzz
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29456
+---
+ src/libopensc/card-iasecc.c | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+diff --git a/src/libopensc/card-iasecc.c b/src/libopensc/card-iasecc.c
+index d144b69..07a99f8 100644
+--- a/src/libopensc/card-iasecc.c
+++ b/src/libopensc/card-iasecc.c
+@@ -310,12 +310,14 @@ iasecc_select_mf(struct sc_card *card, struct sc_file **file_out)
+ 	mf_file->type = SC_FILE_TYPE_DF;
+ 	mf_file->path = path;
+ 
+-	if (card->cache.valid)
+-		 sc_file_free(card->cache.current_df);
+	if (card->cache.valid) {
+		sc_file_free(card->cache.current_df);
+	}
+ 	card->cache.current_df = NULL;
+ 
+-	if (card->cache.valid)
+	if (card->cache.valid) {
+ 		sc_file_free(card->cache.current_ef);
+	}
+ 	card->cache.current_ef = NULL;
+ 
+ 	sc_file_dup(&card->cache.current_df, mf_file);
+@@ -1069,25 +1071,23 @@ iasecc_select_file(struct sc_card *card, const struct sc_path *path,
+ 
+ 			sc_log(ctx, "FileType %i", file->type);
+ 			if (file->type == SC_FILE_TYPE_DF)   {
+-				if (card->cache.valid)
+				if (card->cache.valid) {
+ 					sc_file_free(card->cache.current_df);
+				}
+ 				card->cache.current_df = NULL;
+ 
+-
+-				if (card->cache.valid)
+-					sc_file_free(card->cache.current_ef);
+-				card->cache.current_ef = NULL;
+-
+ 				sc_file_dup(&card->cache.current_df, file);
+ 				card->cache.valid = 1;
+ 			}
+ 			else   {
+-				if (card->cache.valid)
+				if (card->cache.valid) {
+ 					sc_file_free(card->cache.current_ef);
+				}
+ 
+ 				card->cache.current_ef = NULL;
+ 
+ 				sc_file_dup(&card->cache.current_ef, file);
+				card->cache.valid = 1;
+ 			}
+ 
+ 			if (file_out)   {
+@@ -1493,8 +1493,9 @@ iasecc_delete_file(struct sc_card *card, const struct sc_path *path)
+ 		rv = sc_check_sw(card, apdu.sw1, apdu.sw2);
+ 		LOG_TEST_RET(ctx, rv, "Delete file failed");
+ 
+-		if (card->cache.valid)
+		if (card->cache.valid) {
+ 			sc_file_free(card->cache.current_ef);
+		}
+ 		card->cache.current_ef = NULL;
+ 	}
+ 
+-- 
+1.8.3.1
+
--- a/oberthur-Avoid-memory-leaks.patch
+++ b/oberthur-Avoid-memory-leaks.patch
@ -0,0 +1,75 @@
+From 251c4f6b7613a9cea421035e5971c793fc30f9e2 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 3 Feb 2021 21:27:21 +0100
+Subject: [PATCH] oberthur: Avoid memory leaks
+
+Thanks oss-fuzz
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29998
+---
+ src/libopensc/pkcs15-oberthur.c | 20 +++++++++++++++-----
+ 1 file changed, 15 insertions(+), 5 deletions(-)
+
+diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
+index 576e3cf..fa823be 100644
+--- a/src/libopensc/pkcs15-oberthur.c
+++ b/src/libopensc/pkcs15-oberthur.c
+@@ -575,7 +575,7 @@ sc_pkcs15emu_oberthur_add_pubkey(struct sc_pkcs15_card *p15card,
+ 	struct sc_pkcs15_pubkey_info key_info;
+ 	struct sc_pkcs15_object key_obj;
+ 	char ch_tmp[0x100];
+-	unsigned char *info_blob;
+	unsigned char *info_blob = NULL;
+ 	size_t len, info_len, offs;
+ 	unsigned flags;
+ 	int rv;
+@@ -592,8 +592,10 @@ sc_pkcs15emu_oberthur_add_pubkey(struct sc_pkcs15_card *p15card,
+ 
+ 	/* Flags */
+ 	offs = 2;
+-	if (offs > info_len)
+	if (offs > info_len) {
+		free(info_blob);
+ 		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add public key: no 'tag'");
+	}
+ 	flags = *(info_blob + 0) * 0x100 + *(info_blob + 1);
+ 	key_info.usage = sc_oberthur_decode_usage(flags);
+ 	if (flags & OBERTHUR_ATTR_MODIFIABLE)
+@@ -601,8 +603,10 @@ sc_pkcs15emu_oberthur_add_pubkey(struct sc_pkcs15_card *p15card,
+ 	sc_log(ctx, "Public key key-usage:%04X", key_info.usage);
+ 
+ 	/* Label */
+-	if (offs + 2 > info_len)
+	if (offs + 2 > info_len) {
+		free(info_blob);
+ 		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add public key: no 'Label'");
+	}
+ 	len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
+ 	if (len)   {
+ 		if (len > sizeof(key_obj.label) - 1)
+@@ -612,14 +616,20 @@ sc_pkcs15emu_oberthur_add_pubkey(struct sc_pkcs15_card *p15card,
+ 	offs += 2 + len;
+ 
+ 	/* ID */
+-	if (offs > info_len)
+	if (offs > info_len) {
+		free(info_blob);
+ 		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add public key: no 'ID'");
+	}
+ 	len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
+-	if (!len || len > sizeof(key_info.id.value))
+	if (!len || len > sizeof(key_info.id.value)) {
+		free(info_blob);
+ 		LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Failed to add public key: invalid 'ID' length");
+	}
+ 	memcpy(key_info.id.value, info_blob + offs + 2, len);
+ 	key_info.id.len = len;
+ 
+	free(info_blob);
+
+ 	/* Ignore Start/End dates */
+ 
+ 	snprintf(ch_tmp, sizeof(ch_tmp), "%s%04X", AWP_OBJECTS_DF_PUB, file_id);
+-- 
+1.8.3.1
+
--- a/oberthur-Avoid-two-buffer-overflows.patch
+++ b/oberthur-Avoid-two-buffer-overflows.patch
@ -0,0 +1,46 @@
+From 17d8980cde7be597afc366b7e311d0d7cadcb1f4 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 3 Feb 2021 21:46:15 +0100
+Subject: [PATCH] oberthur: Avoid two buffer overflows
+
+Thanks oss-fuzz
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=30112
+---
+ src/libopensc/pkcs15-oberthur.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
+index d3236a9..bf88a06 100644
+--- a/src/libopensc/pkcs15-oberthur.c
+++ b/src/libopensc/pkcs15-oberthur.c
+@@ -884,12 +884,16 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card,
+ 	offs = 2;
+ 
+ 	/* Label */
+-	if (offs > info_len) {
+	if (offs + 2 > info_len) {
+ 		free(info_blob);
+ 		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'label'");
+ 	}
+ 	label = info_blob + offs + 2;
+ 	label_len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
+	if (offs + 2 + label_len > info_len) {
+		free(info_blob);
+		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid length of 'label' received");
+	}
+ 	if (label_len > sizeof(dobj.label) - 1)
+ 		label_len = sizeof(dobj.label) - 1;
+ 	offs += 2 + *(info_blob + offs + 1);
+@@ -906,7 +910,7 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card,
+ 	offs += 2 + app_len;
+ 
+ 	/* OID encode like DER(ASN.1(oid)) */
+-	if (offs > info_len) {
+	if (offs + 1 > info_len) {
+ 		free(info_blob);
+ 		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'OID'");
+ 	}
+-- 
+1.8.3.1
+
--- a/oberthur-Correctly-check-for-return-values.patch
+++ b/oberthur-Correctly-check-for-return-values.patch
@ -0,0 +1,53 @@
+From 1db88374bb7706a115d5c3617c6f16115c33bf27 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 7 Jan 2021 14:20:31 +0100
+Subject: [PATCH] oberthur: Correctly check for return values
+
+Thanks oss-fuzz
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28843
+---
+ src/libopensc/pkcs15-oberthur.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
+index 29aab0b..576e3cf 100644
+--- a/src/libopensc/pkcs15-oberthur.c
+++ b/src/libopensc/pkcs15-oberthur.c
+@@ -304,7 +304,7 @@ sc_oberthur_read_file(struct sc_pkcs15_card *p15card, const char *in_path,
+ 	if (verify_pin && rv == SC_ERROR_SECURITY_STATUS_NOT_SATISFIED)   {
+ 		struct sc_pkcs15_object *objs[0x10], *pin_obj = NULL;
+ 		const struct sc_acl_entry *acl = sc_file_get_acl_entry(file, SC_AC_OP_READ);
+-		int ii;
+		int ii, nobjs;
+ 
+ 		if (acl == NULL) {
+ 			sc_file_free(file);
+@@ -313,18 +313,19 @@ sc_oberthur_read_file(struct sc_pkcs15_card *p15card, const char *in_path,
+ 			LOG_FUNC_RETURN(ctx, SC_ERROR_INVALID_DATA);
+ 		}
+ 
+-		rv = sc_pkcs15_get_objects(p15card, SC_PKCS15_TYPE_AUTH_PIN, objs, 0x10);
+-		if (rv != SC_SUCCESS) {
+		nobjs = sc_pkcs15_get_objects(p15card, SC_PKCS15_TYPE_AUTH_PIN, objs, 0x10);
+		if (nobjs < 1) {
+ 			sc_file_free(file);
+ 			free(*out);
+ 			*out = NULL;
+-			LOG_TEST_RET(ctx, rv, "Cannot read oberthur file: get AUTH objects error");
+			LOG_TEST_RET(ctx, SC_ERROR_DATA_OBJECT_NOT_FOUND,
+				"Cannot read oberthur file: get AUTH objects error");
+ 		}
+ 
+-		for (ii=0; ii<rv; ii++)   {
+		for (ii = 0; ii < nobjs; ii++) {
+ 			struct sc_pkcs15_auth_info *auth_info = (struct sc_pkcs15_auth_info *) objs[ii]->data;
+ 			sc_log(ctx, "compare PIN/ACL refs:%i/%i, method:%i/%i",
+-					auth_info->attrs.pin.reference, acl->key_ref, auth_info->auth_method, acl->method);
+				auth_info->attrs.pin.reference, acl->key_ref, auth_info->auth_method, acl->method);
+ 			if (auth_info->attrs.pin.reference == (int)acl->key_ref && auth_info->auth_method == (unsigned)acl->method)   {
+ 				pin_obj = objs[ii];
+ 				break;
+-- 
+1.8.3.1
+
--- a/oberthur-Fix-memory-leaks.patch
+++ b/oberthur-Fix-memory-leaks.patch
@ -0,0 +1,39 @@
+From 715c17c469f6c463dd511a5deb229da4de9ee100 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 17 Mar 2021 20:17:34 +0100
+Subject: [PATCH] oberthur: Fix memory leaks
+
+Thanks oss-fuzz
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32149
+---
+ src/libopensc/pkcs15-oberthur.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
+index 314a7bd..4ba201f 100644
+--- a/src/libopensc/pkcs15-oberthur.c
+++ b/src/libopensc/pkcs15-oberthur.c
+@@ -211,6 +211,7 @@ sc_oberthur_get_certificate_authority(struct sc_pkcs15_der *der, int *out_author
+ 
+ 	BIO_set_mem_buf(bio, &buf_mem, BIO_NOCLOSE);
+ 	x = d2i_X509_bio(bio, 0);
+	free(buf_mem.data);
+ 	BIO_free(bio);
+ 	if (!x)
+ 		return SC_ERROR_INVALID_DATA;
+@@ -729,7 +730,10 @@ sc_pkcs15emu_oberthur_add_cert(struct sc_pkcs15_card *p15card, unsigned int file
+ 	cinfo.value.len = cert_len;
+ 
+ 	rv = sc_oberthur_get_certificate_authority(&cinfo.value, &cinfo.authority);
+-	LOG_TEST_RET(ctx, rv, "Failed to add certificate: get certificate attributes error");
+	if (rv != SC_SUCCESS) {
+		free(cinfo.value.value);
+		LOG_TEST_RET(ctx, rv, "Failed to add certificate: get certificate attributes error");
+	}
+ 
+ 	if (flags & OBERTHUR_ATTR_MODIFIABLE)
+ 		cobj.flags |= SC_PKCS15_CO_FLAG_MODIFIABLE;
+-- 
+1.8.3.1
+
--- a/oberthur-Free-another-read-data-on-failure-paths.patch
+++ b/oberthur-Free-another-read-data-on-failure-paths.patch
@ -0,0 +1,77 @@
+From 9c91a4327e6db579f7f964f147fd6e94a0e1b85e Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Wed, 3 Feb 2021 21:34:52 +0100
+Subject: [PATCH] oberthur: Free another read data on failure paths
+
+---
+ src/libopensc/pkcs15-oberthur.c | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
+index fa823be..d3236a9 100644
+--- a/src/libopensc/pkcs15-oberthur.c
+++ b/src/libopensc/pkcs15-oberthur.c
+@@ -876,14 +876,18 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card,
+ 	rv = sc_oberthur_read_file(p15card, ch_tmp, &info_blob, &info_len, 1);
+ 	LOG_TEST_RET(ctx, rv, "Failed to add data: read oberthur file error");
+ 
+-	if (info_len < 2)
+	if (info_len < 2) {
+		free(info_blob);
+ 		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add certificate: no 'tag'");
+	}
+ 	flags = *(info_blob + 0) * 0x100 + *(info_blob + 1);
+ 	offs = 2;
+ 
+ 	/* Label */
+-	if (offs > info_len)
+	if (offs > info_len) {
+		free(info_blob);
+ 		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'label'");
+	}
+ 	label = info_blob + offs + 2;
+ 	label_len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
+ 	if (label_len > sizeof(dobj.label) - 1)
+@@ -891,8 +895,10 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card,
+ 	offs += 2 + *(info_blob + offs + 1);
+ 
+ 	/* Application */
+-	if (offs > info_len)
+	if (offs > info_len) {
+		free(info_blob);
+ 		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'application'");
+	}
+ 	app = info_blob + offs + 2;
+ 	app_len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
+ 	if (app_len > sizeof(dinfo.app_label) - 1)
+@@ -900,13 +906,17 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card,
+ 	offs += 2 + app_len;
+ 
+ 	/* OID encode like DER(ASN.1(oid)) */
+-	if (offs > info_len)
+	if (offs > info_len) {
+		free(info_blob);
+ 		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'OID'");
+	}
+ 	oid_len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
+ 	if (oid_len)   {
+ 		oid = info_blob + offs + 2;
+-		if (*oid != 0x06 || (*(oid + 1) != oid_len - 2))
+		if (*oid != 0x06 || (*(oid + 1) != oid_len - 2)) {
+			free(info_blob);
+ 			LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: invalid 'OID' format");
+		}
+ 		oid += 2;
+ 		oid_len -= 2;
+ 	}
+@@ -933,6 +943,7 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card,
+ 
+ 	rv = sc_pkcs15emu_add_data_object(p15card, &dobj, &dinfo);
+ 
+	free(info_blob);
+ 	LOG_FUNC_RETURN(p15card->card->ctx, rv);
+ }
+ 
+-- 
+1.8.3.1
+
--- a/oberthur-Handle-1B-OIDs.patch
+++ b/oberthur-Handle-1B-OIDs.patch
@ -0,0 +1,28 @@
+From cae5c71f90cc5b364efe14040923fd5aa3b5dd90 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Tue, 6 Apr 2021 12:45:24 +0200
+Subject: [PATCH] oberthur: Handle 1B OIDs
+
+Thanks oss-fuzz
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32807
+---
+ src/libopensc/pkcs15-oberthur.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
+index 0ddfc3f..6487656 100644
+--- a/src/libopensc/pkcs15-oberthur.c
+++ b/src/libopensc/pkcs15-oberthur.c
+@@ -973,7 +973,7 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card,
+ 		free(info_blob);
+ 		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid length of 'oid' received");
+ 	}
+-	if (oid_len)   {
+	if (oid_len > 2) {
+ 		oid = info_blob + offs + 2;
+ 		if (*oid != 0x06 || (*(oid + 1) != oid_len - 2)) {
+ 			free(info_blob);
+-- 
+1.8.3.1
+
--- a/oberthur-Handle-more-memory-issues-during-initializa.patch
+++ b/oberthur-Handle-more-memory-issues-during-initializa.patch
@ -0,0 +1,199 @@
+From 40c50a3a4219308aae90f6efd7b10213794a8d86 Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Mon, 1 Mar 2021 11:57:06 +0100
+Subject: [PATCH] oberthur: Handle more memory issues during initialization
+
+Thanks oss-fuzz
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31540
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31448
+---
+ src/libopensc/pkcs15-oberthur.c | 83 ++++++++++++++++++++++++++++++++---------
+ 1 file changed, 66 insertions(+), 17 deletions(-)
+
+diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
+index bf88a06..ebaca47 100644
+--- a/src/libopensc/pkcs15-oberthur.c
+++ b/src/libopensc/pkcs15-oberthur.c
+@@ -659,7 +659,7 @@ sc_pkcs15emu_oberthur_add_cert(struct sc_pkcs15_card *p15card, unsigned int file
+ 	struct sc_context *ctx = p15card->card->ctx;
+ 	struct sc_pkcs15_cert_info cinfo;
+ 	struct sc_pkcs15_object cobj;
+-	unsigned char *info_blob, *cert_blob;
+	unsigned char *info_blob = NULL, *cert_blob = NULL;
+ 	size_t info_len, cert_len, len, offs;
+ 	unsigned flags;
+ 	int rv;
+@@ -675,16 +675,23 @@ sc_pkcs15emu_oberthur_add_cert(struct sc_pkcs15_card *p15card, unsigned int file
+ 	rv = sc_oberthur_read_file(p15card, ch_tmp, &info_blob, &info_len, 1);
+ 	LOG_TEST_RET(ctx, rv, "Failed to add certificate: read oberthur file error");
+ 
+-	if (info_len < 2)
+	if (info_len < 2) {
+		free(info_blob);
+ 		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add certificate: no 'tag'");
+	}
+ 	flags = *(info_blob + 0) * 0x100 + *(info_blob + 1);
+ 	offs = 2;
+ 
+ 	/* Label */
+-	if (offs + 2 > info_len)
+	if (offs + 2 > info_len) {
+		free(info_blob);
+ 		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add certificate: no 'CN'");
+	}
+ 	len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
+-	if (len)   {
+	if (len + offs + 2 > info_len) {
+		free(info_blob);
+		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid 'CN' length");
+	} else if (len) {
+ 		if (len > sizeof(cobj.label) - 1)
+ 			len = sizeof(cobj.label) - 1;
+ 		memcpy(cobj.label, info_blob + offs + 2, len);
+@@ -692,14 +699,23 @@ sc_pkcs15emu_oberthur_add_cert(struct sc_pkcs15_card *p15card, unsigned int file
+ 	offs += 2 + len;
+ 
+ 	/* ID */
+-	if (offs > info_len)
+	if (offs + 2 > info_len) {
+		free(info_blob);
+ 		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add certificate: no 'ID'");
+	}
+ 	len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
+-	if (len > sizeof(cinfo.id.value))
+	if (len + offs + 2 > info_len) {
+		free(info_blob);
+		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid 'ID' length");
+	} else if (len > sizeof(cinfo.id.value)) {
+		free(info_blob);
+ 		LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Failed to add certificate: invalid 'ID' length");
+	}
+ 	memcpy(cinfo.id.value, info_blob + offs + 2, len);
+ 	cinfo.id.len = len;
+ 
+	free(info_blob);
+
+ 	/* Ignore subject, issuer and serial */
+ 
+ 	snprintf(ch_tmp, sizeof(ch_tmp), "%s%04X", AWP_OBJECTS_DF_PUB, file_id);
+@@ -784,15 +800,23 @@ sc_pkcs15emu_oberthur_add_prvkey(struct sc_pkcs15_card *p15card,
+ 	rv = sc_oberthur_read_file(p15card, ch_tmp, &info_blob, &info_len, 1);
+ 	LOG_TEST_RET(ctx, rv, "Failed to add private key: read oberthur file error");
+ 
+-	if (info_len < 2)
+	if (info_len < 2) {
+		free(info_blob);
+ 		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add private key: no 'tag'");
+	}
+ 	flags = *(info_blob + 0) * 0x100 + *(info_blob + 1);
+ 	offs = 2;
+ 
+ 	/* CN */
+-	if (offs > info_len)
+	if (offs + 2 > info_len) {
+		free(info_blob);
+ 		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add private key: no 'CN'");
+	}
+ 	len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
+	if (len + offs + 2 > info_len) {
+		free(info_blob);
+		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid 'CN' length");
+	}
+ 	if (len && !strlen(kobj.label))   {
+ 		if (len > sizeof(kobj.label) - 1)
+ 			len = sizeof(kobj.label) - 1;
+@@ -801,13 +825,21 @@ sc_pkcs15emu_oberthur_add_prvkey(struct sc_pkcs15_card *p15card,
+ 	offs += 2 + len;
+ 
+ 	/* ID */
+-	if (offs > info_len)
+	if (offs + 2 > info_len) {
+		free(info_blob);
+ 		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add private key: no 'ID'");
+	}
+ 	len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
+-	if (!len)
+	if (!len) {
+		free(info_blob);
+ 		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add private key: zero length ID");
+-	else if (len > sizeof(kinfo.id.value))
+	} else if (len + offs + 2 > info_len) {
+		free(info_blob);
+		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid 'ID' length");
+	} else if (len > sizeof(kinfo.id.value)) {
+		free(info_blob);
+ 		LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Failed to add private key: invalid ID length");
+	}
+ 	memcpy(kinfo.id.value, info_blob + offs + 2, len);
+ 	kinfo.id.len = len;
+ 	offs += 2 + len;
+@@ -816,19 +848,28 @@ sc_pkcs15emu_oberthur_add_prvkey(struct sc_pkcs15_card *p15card,
+ 	offs += 16;
+ 
+ 	/* Subject encoded in ASN1 */
+-	if (offs > info_len)
+-		return SC_ERROR_UNKNOWN_DATA_RECEIVED;
+	if (offs + 2 > info_len) {
+		free(info_blob);
+		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add private key: no 'subject'");
+	}
+ 	len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
+-	if (len)   {
+	if (len + offs + 2 > info_len) {
+		free(info_blob);
+		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid 'subject' length");
+	} else if (len) {
+ 		kinfo.subject.value = malloc(len);
+-		if (!kinfo.subject.value)
+		if (!kinfo.subject.value) {
+			free(info_blob);
+ 			LOG_TEST_RET(ctx, SC_ERROR_OUT_OF_MEMORY, "Failed to add private key: memory allocation error");
+		}
+ 		kinfo.subject.len = len;
+ 		memcpy(kinfo.subject.value, info_blob + offs + 2, len);
+ 	}
+ 
+ 	/* Modulus and exponent are ignored */
+ 
+	free(info_blob);
+
+ 	snprintf(ch_tmp, sizeof(ch_tmp), "%s%04X", AWP_OBJECTS_DF_PRV, file_id);
+ 	sc_format_path(ch_tmp, &kinfo.path);
+ 	sc_log(ctx, "Private key info path %s", ch_tmp);
+@@ -899,22 +940,30 @@ sc_pkcs15emu_oberthur_add_data(struct sc_pkcs15_card *p15card,
+ 	offs += 2 + *(info_blob + offs + 1);
+ 
+ 	/* Application */
+-	if (offs > info_len) {
+	if (offs + 2 > info_len) {
+ 		free(info_blob);
+ 		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'application'");
+ 	}
+ 	app = info_blob + offs + 2;
+ 	app_len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
+	if (offs + 2 + app_len > info_len) {
+		free(info_blob);
+		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid length of 'application' received");
+	}
+ 	if (app_len > sizeof(dinfo.app_label) - 1)
+ 		app_len = sizeof(dinfo.app_label) - 1;
+ 	offs += 2 + app_len;
+ 
+ 	/* OID encode like DER(ASN.1(oid)) */
+-	if (offs + 1 > info_len) {
+	if (offs + 2 > info_len) {
+ 		free(info_blob);
+ 		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add data: no 'OID'");
+ 	}
+ 	oid_len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
+	if (offs + 2 + oid_len > info_len) {
+		free(info_blob);
+		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Invalid length of 'oid' received");
+	}
+ 	if (oid_len)   {
+ 		oid = info_blob + offs + 2;
+ 		if (*oid != 0x06 || (*(oid + 1) != oid_len - 2)) {
+-- 
+1.8.3.1
+
--- a/oberthur-One-more-overlooked-buffer-overflow.patch
+++ b/oberthur-One-more-overlooked-buffer-overflow.patch
@ -0,0 +1,31 @@
+From 5d4daf6c92e4668f5458f380f3cacea3e879d91a Mon Sep 17 00:00:00 2001
+From: Jakub Jelen <jjelen@redhat.com>
+Date: Thu, 18 Mar 2021 19:48:33 +0100
+Subject: [PATCH] oberthur: One more overlooked buffer overflow
+
+Thanks oss-fuzz
+
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32202
+---
+ src/libopensc/pkcs15-oberthur.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
+index 4ba201f..0ddfc3f 100644
+--- a/src/libopensc/pkcs15-oberthur.c
+++ b/src/libopensc/pkcs15-oberthur.c
+@@ -609,7 +609,10 @@ sc_pkcs15emu_oberthur_add_pubkey(struct sc_pkcs15_card *p15card,
+ 		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add public key: no 'Label'");
+ 	}
+ 	len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
+-	if (len)   {
+	if (offs + 2 + len > info_len) {
+		free(info_blob);
+		LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Failed to add public key: invalid 'Label' length");
+	} else if (len) {
+ 		if (len > sizeof(key_obj.label) - 1)
+ 			len = sizeof(key_obj.label) - 1;
+ 		memcpy(key_obj.label, info_blob + offs + 2, len);
+-- 
+1.8.3.1
+
--- a/oberthur-fixed-Heap-buffer-overflow.patch
+++ b/oberthur-fixed-Heap-buffer-overflow.patch
@ -0,0 +1,34 @@
+From 05648b0604bf3e498e8d42dff3c6e7c56a5bf749 Mon Sep 17 00:00:00 2001
+From: Frank Morgner <frankmorgner@gmail.com>
+Date: Wed, 17 Mar 2021 18:16:34 +0100
+Subject: [PATCH] oberthur: fixed Heap-buffer-overflow
+
+fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32149
+---
+ src/libopensc/pkcs15-oberthur.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
+index ebaca47..314a7bd 100644
+--- a/src/libopensc/pkcs15-oberthur.c
+++ b/src/libopensc/pkcs15-oberthur.c
+@@ -616,12 +616,14 @@ sc_pkcs15emu_oberthur_add_pubkey(struct sc_pkcs15_card *p15card,
+ 	offs += 2 + len;
+ 
+ 	/* ID */
+-	if (offs > info_len) {
+	if (offs + 2 > info_len) {
+ 		free(info_blob);
+ 		LOG_TEST_RET(ctx, SC_ERROR_UNKNOWN_DATA_RECEIVED, "Failed to add public key: no 'ID'");
+ 	}
+ 	len = *(info_blob + offs + 1) + *(info_blob + offs) * 0x100;
+-	if (!len || len > sizeof(key_info.id.value)) {
+	if (len == 0
+			|| len > sizeof(key_info.id.value)
+			|| offs + 2 + len > info_len) {
+ 		free(info_blob);
+ 		LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "Failed to add public key: invalid 'ID' length");
+ 	}
+-- 
+1.8.3.1
+
--- a/opensc.spec
+++ b/opensc.spec
@ -3,7 +3,7 @@

 Name:            opensc
 Version:         0.21.0
-Release:         2
+Release:         3
 License:         LGPLv2.1+
 Summary:         Smart card library and applications
 URL:             https://github.com/OpenSC/OpenSC/wiki
@ -17,6 +17,19 @@ Obsoletes:       coolkey <= 1.1.0-36
 Obsoletes:       mozilla-opensc-signer < 0.12.0
 Obsoletes:       opensc-devel < 0.12.0

+Patch0:   iasecc-Avoid-another-memory-leak.patch
+Patch1:   card-Correctly-free-pointers-durint-cache-invalidati.patch
+Patch2:   oberthur-Free-another-read-data-on-failure-paths.patch
+Patch3:   oberthur-Avoid-two-buffer-overflows.patch
+Patch4:   oberthur-Handle-more-memory-issues-during-initializa.patch
+Patch5:   oberthur-Fix-memory-leaks.patch
+Patch6:   oberthur-Correctly-check-for-return-values.patch
+Patch7:   oberthur-Avoid-memory-leaks.patch
+Patch8:   oberthur-fixed-Heap-buffer-overflow.patch
+Patch9:   oberthur-One-more-overlooked-buffer-overflow.patch
+Patch10:  cardos-Correctly-calculate-the-left-bytes-to-avoid-b.patch
+Patch11:  oberthur-Handle-1B-OIDs.patch
+
 %description
 OpenSC provides a set of libraries and utilities to work with smart cards.
 Its main focus is on cards that support cryptographic operations, and
@ -134,6 +147,9 @@ make check
 %{_datadir}/opensc/

 %changelog
+* Thu Aug 19 2021 zoulin <zoulin13@huawei.com> - 0.21.0-3
+- fix more oss-fuzz
+
 * Thu Mar 18 2021 Hugel <gengqihu1@huawei.com> - 0.21.0-2
 - Remove unused file pkcs11-register.desktop