roytam1/UXP
1
0
Fork 0
mirror of https://github.com/roytam1/UXP.git synced 2026-05-26 13:58:49 +00:00
Code Issues Projects Releases Wiki Activity

[NSS] Reject excessively large ASN.1 SEQUENCE OF in quickder.

Browse Source
This commit is contained in:
Moonchild
2026-04-24 20:55:33 +02:00
committed by roytam1
parent bee96124c5
commit 9dd4cfcc64
1 changed files with 9 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
security/nss/lib/util/quickder.c
+9 -2
View File
@@ -517,11 +517,18 @@ DecodeGroup(void* dest,
}
} while ((SECSuccess == rv) && (counter.len));
/* Limit entry data to 1 GiB. */
if (SECSuccess == rv && subTemplate->size &&
totalEntries > ((size_t)1 << 30) / subTemplate->size) {
PORT_SetError(SEC_ERROR_BAD_DER);
rv = SECFailure;
}
if (SECSuccess == rv) {
/* allocate room for pointer array and entries */
/* we want to allocate the array even if there is 0 entry */
entries = (void**)PORT_ArenaZAlloc(arena, sizeof(void*) * (totalEntries + 1) + /* the extra one is for NULL termination */
subTemplate->size * totalEntries);
(size_t)subTemplate->size * totalEntries);
if (entries) {
entries[totalEntries] = NULL; /* terminate the array */
@@ -535,7 +542,7 @@ DecodeGroup(void* dest,
PRUint32 entriesIndex = 0;
for (entriesIndex = 0; entriesIndex < totalEntries; entriesIndex++) {
entries[entriesIndex] =
(char*)entriesData + (subTemplate->size * entriesIndex);
(char*)entriesData + ((size_t)subTemplate->size * entriesIndex);
}
}
}