44 lines
1.4 KiB
Diff
44 lines
1.4 KiB
Diff
From 1252aca9f10771ef5ba8405e73cf2da50827958f Mon Sep 17 00:00:00 2001
|
|
From: Jakub Jelen <jjelen@redhat.com>
|
|
Date: Thu, 4 Feb 2021 13:11:01 +0100
|
|
Subject: [PATCH] cardos: Correctly calculate the left bytes to avoid buffer
|
|
overrun
|
|
|
|
Thanks oss-fuzz
|
|
|
|
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=29912
|
|
---
|
|
src/libopensc/card-cardos.c | 8 ++++----
|
|
1 file changed, 4 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/src/libopensc/card-cardos.c b/src/libopensc/card-cardos.c
|
|
index 06dd3e3..2d50b8c 100644
|
|
--- a/src/libopensc/card-cardos.c
|
|
+++ b/src/libopensc/card-cardos.c
|
|
@@ -159,7 +159,7 @@ static int cardos_have_2048bit_package(sc_card_t *card)
|
|
sc_apdu_t apdu;
|
|
u8 rbuf[SC_MAX_APDU_BUFFER_SIZE];
|
|
int r;
|
|
- const u8 *p = rbuf, *q;
|
|
+ const u8 *p = rbuf, *q, *pp;
|
|
size_t len, tlen = 0, ilen = 0;
|
|
|
|
sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xca, 0x01, 0x88);
|
|
@@ -175,10 +175,10 @@ static int cardos_have_2048bit_package(sc_card_t *card)
|
|
return 0;
|
|
|
|
while (len != 0) {
|
|
- p = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
|
|
- if (p == NULL)
|
|
+ pp = sc_asn1_find_tag(card->ctx, p, len, 0xe1, &tlen);
|
|
+ if (pp == NULL)
|
|
return 0;
|
|
- q = sc_asn1_find_tag(card->ctx, p, tlen, 0x01, &ilen);
|
|
+ q = sc_asn1_find_tag(card->ctx, pp, tlen, 0x01, &ilen);
|
|
if (q == NULL || ilen != 4)
|
|
return 0;
|
|
if (q[0] == 0x1c)
|
|
--
|
|
1.8.3.1
|
|
|