42 lines
1.1 KiB
Diff
42 lines
1.1 KiB
Diff
|
Index: src/pkcs15init/pkcs15-lib.c
|
||
|
===================================================================
|
||
|
--- src/pkcs15init/pkcs15-lib.c (revision 3605)
|
||
|
+++ src/pkcs15init/pkcs15-lib.c (revision 3661)
|
||
|
@@ -3708,6 +3708,11 @@
|
||
|
/*
|
||
|
* Parse OpenSC Info file. We rudely clobber any information
|
||
|
* given on the command line.
|
||
|
+ *
|
||
|
+ * passed is a pointer (p) to (len) bytes. Those bytes contain
|
||
|
+ * one or several tag-length-value constructs, where tag and
|
||
|
+ * length are both single bytes. a final 0x00 or 0xff byte
|
||
|
+ * (with or without len byte) is ok.
|
||
|
*/
|
||
|
static int
|
||
|
sc_pkcs15init_parse_info(sc_card_t *card,
|
||
|
@@ -3719,11 +3724,21 @@
|
||
|
unsigned int nopts = 0;
|
||
|
size_t n;
|
||
|
|
||
|
- end = p + len;
|
||
|
- while (p < end && (tag = *p++) != 0 && tag != 0xFF) {
|
||
|
+ if ((p == NULL) || (len == 0))
|
||
|
+ return 0;
|
||
|
+
|
||
|
+ end = p + (len - 1);
|
||
|
+ while (p < end) { /* more bytes to look at */
|
||
|
int r = 0;
|
||
|
|
||
|
- if (p >= end || p + (n = *p++) > end)
|
||
|
+ tag = *p; p++;
|
||
|
+ if ((tag == 0) || (tag == 0xff) || (p >= end))
|
||
|
+ break;
|
||
|
+
|
||
|
+ n = *p;
|
||
|
+ p++;
|
||
|
+
|
||
|
+ if (p >= end || p + n > end) /* invalid length byte n */
|
||
|
goto error;
|
||
|
|
||
|
switch (tag) {
|