Commit 35fbfa93 authored by Vasil Velichkov's avatar Vasil Velichkov

aper: uper: Fix a heap buffer overflow

When there were no any padding bits the uper and aper decoders where
trying to read some which results in read past the buffer end.

See https://github.com/mouse07410/asn1c/issues/33#issuecomment-374625610

ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000315 at pc 0x000102ce9c15 bp 0x7fff5d20a8d0 sp 0x7fff5d20a8c8
READ of size 1 at 0x602000000315 thread T0
    #0 0x102ce9c14 in asn_get_few_bits asn_bit_data.c:132
    #1 0x102d878fd in aper_open_type_get_simple per_opentype.c:455
    #2 0x102d85dcc in aper_open_type_get per_opentype.c:514
parent bb880872
...@@ -119,7 +119,7 @@ uper_open_type_get_simple(const asn_codec_ctx_t *ctx, ...@@ -119,7 +119,7 @@ uper_open_type_get_simple(const asn_codec_ctx_t *ctx,
if(rv.code == RC_OK) { if(rv.code == RC_OK) {
/* Check padding validity */ /* Check padding validity */
padding = spd.nbits - spd.nboff; padding = spd.nbits - spd.nboff;
if ((padding < 8 || if (((padding > 0 && padding < 8) ||
/* X.691#10.1.3 */ /* X.691#10.1.3 */
(spd.nboff == 0 && spd.nbits == 8 && spd.buffer == buf)) && (spd.nboff == 0 && spd.nbits == 8 && spd.buffer == buf)) &&
per_get_few_bits(&spd, padding) == 0) { per_get_few_bits(&spd, padding) == 0) {
...@@ -132,8 +132,7 @@ uper_open_type_get_simple(const asn_codec_ctx_t *ctx, ...@@ -132,8 +132,7 @@ uper_open_type_get_simple(const asn_codec_ctx_t *ctx,
ASN_DEBUG("Too large padding %d in open type", (int)padding); ASN_DEBUG("Too large padding %d in open type", (int)padding);
ASN__DECODE_FAILED; ASN__DECODE_FAILED;
} else { } else {
ASN_DEBUG("Non-zero padding"); ASN_DEBUG("No padding");
ASN__DECODE_FAILED;
} }
} else { } else {
FREEMEM(buf); FREEMEM(buf);
...@@ -449,7 +448,7 @@ aper_open_type_get_simple(const asn_codec_ctx_t *ctx, ...@@ -449,7 +448,7 @@ aper_open_type_get_simple(const asn_codec_ctx_t *ctx,
if(rv.code == RC_OK) { if(rv.code == RC_OK) {
/* Check padding validity */ /* Check padding validity */
padding = spd.nbits - spd.nboff; padding = spd.nbits - spd.nboff;
if ((padding < 8 || if (((padding > 0 && padding < 8) ||
/* X.691#10.1.3 */ /* X.691#10.1.3 */
(spd.nboff == 0 && spd.nbits == 8 && spd.buffer == buf)) && (spd.nboff == 0 && spd.nbits == 8 && spd.buffer == buf)) &&
per_get_few_bits(&spd, padding) == 0) { per_get_few_bits(&spd, padding) == 0) {
...@@ -462,8 +461,7 @@ aper_open_type_get_simple(const asn_codec_ctx_t *ctx, ...@@ -462,8 +461,7 @@ aper_open_type_get_simple(const asn_codec_ctx_t *ctx,
ASN_DEBUG("Too large padding %d in open type", (int)padding); ASN_DEBUG("Too large padding %d in open type", (int)padding);
ASN__DECODE_FAILED; ASN__DECODE_FAILED;
} else { } else {
ASN_DEBUG("Non-zero padding"); ASN_DEBUG("No padding");
ASN__DECODE_FAILED;
} }
} else { } else {
FREEMEM(buf); FREEMEM(buf);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment