Source:

Internal

Info:

Stack-based buffer overflow in asn1_der_decoding in libtasn1 before 4.4 allows

remote attackers to have unspecified impact via unknown vectors.

Status:

Need to determine if this patch has been sent upstream.

--- libtasn1-2.8/lib/parser_aux.c.orig 2015-04-15 12:36:59.603251259 +0530

+++ libtasn1-2.8/lib/parser_aux.c 2015-04-15 12:38:34.145677358 +0530

@@ -580,7 +580,7 @@ _asn1_delete_list_and_nodes (void)

char *

-_asn1_ltostr (long v, char *str)

+_asn1_ltostr (long v, char str[LTOSTR_MAX_SIZE])

{

long d, r;

char temp[20];

@@ -604,7 +604,7 @@ _asn1_ltostr (long v, char *str)

count++;

v = d;

}

- while (v);

+ while (v && ((start+count) < LTOSTR_MAX_SIZE-1));

for (k = 0; k < count; k++)

str[k + start] = temp[start + count - k - 1];

--- libtasn1-2.8/lib/parser_aux.h.orig 2015-04-15 12:38:41.020519734 +0530

+++ libtasn1-2.8/lib/parser_aux.h 2015-04-15 12:40:23.768693524 +0530

@@ -63,7 +63,9 @@ void _asn1_delete_list (void);

void _asn1_delete_list_and_nodes (void);

-char *_asn1_ltostr (long v, char *str);

+/* Max 64-bit integer length is 20 chars + 1 for sign + 1 for null termination */

+#define LTOSTR_MAX_SIZE 22

+char *_asn1_ltostr (long v, char str[LTOSTR_MAX_SIZE]);

ASN1_TYPE _asn1_find_up (ASN1_TYPE node);