Reinstate the check for invalid length BIT STRINGS,

which was effectively bypassed in the ASN1 changed.

diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c
index ed0bdfbde1a75ba478863bde12d351b4877ce6c7..e0265f69d2a5aea15089792a74e5ccd7c2dc8126 100644 (file)
--- a/crypto/asn1/a_bitstr.c
+++ b/crypto/asn1/a_bitstr.c
@@ -120,6 +120,12 @@ ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, unsigned char **pp,
        unsigned char *p,*s;
        int i;
 
+       if (len < 1)
+               {
+               i=ASN1_R_STRING_TOO_SHORT;
+               goto err;
+               }
+
        if ((a == NULL) || ((*a) == NULL))
                {
                if ((ret=M_ASN1_BIT_STRING_new()) == NULL) return(NULL);

diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c
index 0fc1f421e28dc3819a3631aabbfd086d7e9814ce..f87c08793aa5fb9fba0ae240b469eb3d3882ec69 100644 (file)
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@@ -913,10 +913,10 @@ static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, char *i
                        ctx->ptag = ptag;
                        ctx->hdrlen = p - q;
                        ctx->valid = 1;
-                       /* If definite length, length + header can't exceed total
-                        * amount of data available.
+                       /* If definite length, and no error, length +
+                        * header can't exceed total amount of data available. 
                         */
-                       if(!(i & 1) && ((plen + ctx->hdrlen) > len)) {
+                       if(!(i & 0x81) && ((plen + ctx->hdrlen) > len)) {
                                ASN1err(ASN1_F_ASN1_CHECK_TLEN, ASN1_R_TOO_LONG);
                                asn1_tlc_clear(ctx);
                                return 0;