From: Jeremy Allison <jra@samba.org>
Date: Fri, 5 Feb 2016 21:15:57 +0000 (-0800)
Subject: asn1: Make asn1_peek_tag_needed_size() use the same overflow protection as asn1_start... 
X-Git-Url: http://git.samba.org/?a=commitdiff_plain;h=697088ef165d9ee42502d7a8ab51edc90010386e;p=amitay%2Fsamba.git

asn1: Make asn1_peek_tag_needed_size() use the same overflow protection as asn1_start_tag().

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
---

diff --git a/lib/util/asn1.c b/lib/util/asn1.c
index dc7f679fa61..029265e2b86 100644
--- a/lib/util/asn1.c
+++ b/lib/util/asn1.c
@@ -593,12 +593,24 @@ static bool asn1_peek_tag_needed_size(struct asn1_data *data, uint8_t tag,
 		}
 		taglen = b;
 		while (n > 1) {
+			size_t tmp_taglen;
+
 			if (!asn1_read_uint8(data, &b)) {
 				data->ofs = start_ofs;
 				data->has_error = false;
 				return false;
 			}
-			taglen = (taglen << 8) | b;
+
+			tmp_taglen = (taglen << 8) | b;
+
+			if ((tmp_taglen >> 8) != taglen) {
+				/* overflow */
+				data->ofs = start_ofs;
+				data->has_error = false;
+				return false;
+			}
+			taglen = tmp_taglen;
+
 			n--;
 		}
 	} else {