x509asn1: fix heap over-read when parsing x509 certificates

Assisted-by: Patrick Monnerat Closes #7536
author: z2_ <88509734+z2-2z@users.noreply.github.com> 2021-08-05 21:08:37 +0200
committer: Daniel Stenberg <daniel@haxx.se> 2021-08-16 08:26:50 +0200
commit: 5f3ca7f77395367ad74e91785c7ca0ccb6c927ba (patch)
tree: af2e81f3caf4797ced5c2839329da15b9b24cbb0 /lib
parent: 881a8c4e106641ae7c394e56d37a83be2d87b427 (diff)
download: curl-5f3ca7f77395367ad74e91785c7ca0ccb6c927ba.tar.gz
1 files changed, 10 insertions, 9 deletions
diff --git a/lib/x509asn1.c b/lib/x509asn1.c
index c70378dac..9c3342dfc 100644
--- a/lib/x509asn1.c
+++ b/lib/x509asn1.c
@@ -34,6 +34,7 @@
 #include "inet_pton.h"
 #include "curl_base64.h"
 #include "x509asn1.h"
+#include "dynbuf.h"
 
 /* The last 3 #include files should be in this order */
 #include "curl_printf.h"
@@ -205,16 +206,16 @@ static const char *bool2str(const char *beg, const char *end)
  */
 static const char *octet2str(const char *beg, const char *end)
 {
-  size_t n = end - beg;
-  char *buf = NULL;
+  struct dynbuf buf;
+  CURLcode result;
 
-  if(n <= (SIZE_T_MAX - 1) / 3) {
-    buf = malloc(3 * n + 1);
-    if(buf)
-      for(n = 0; beg < end; n += 3)
-        msnprintf(buf + n, 4, "%02x:", *(const unsigned char *) beg++);
-  }
-  return buf;
+  Curl_dyn_init(&buf, 3 * CURL_ASN1_MAX + 1);
+  result = Curl_dyn_addn(&buf, "", 0);
+
+  while(!result && beg < end)
+    result = Curl_dyn_addf(&buf, "%02x:", (unsigned char) *beg++);
+
+  return Curl_dyn_ptr(&buf);
 }
 
 static const char *bit2str(const char *beg, const char *end)
author	z2_ <88509734+z2-2z@users.noreply.github.com>	2021-08-05 21:08:37 +0200
committer	Daniel Stenberg <daniel@haxx.se>	2021-08-16 08:26:50 +0200
commit	5f3ca7f77395367ad74e91785c7ca0ccb6c927ba (patch)
tree	af2e81f3caf4797ced5c2839329da15b9b24cbb0 /lib
parent	881a8c4e106641ae7c394e56d37a83be2d87b427 (diff)
download	curl-5f3ca7f77395367ad74e91785c7ca0ccb6c927ba.tar.gz