egg-asn1x: Fix crash when parsing invalid DER files

 * When parsing invalid DER files and more than one sub-TLV is
   encountered we would do a NULL dereference.
 * Catch this condition and test for it.

1 files changed, 8 insertions, 0 deletions

diff --git a/egg/egg-asn1x.c b/egg/egg-asn1x.c
index 5168e3f..7e6e854 100644
--- a/egg/egg-asn1x.c
+++ b/egg/egg-asn1x.c
@@ -1181,11 +1181,17 @@ static gboolean
 anode_decode_anything (GNode *node,
                        Atlv *tlv)
 {
+	GNode *prev = NULL;
 	GNode *next;
 	gulong tag;
 	gint flags;
 
+	g_assert (node != NULL);
+
 	while (tlv != NULL) {
+		if (node == NULL)
+			return anode_failure (prev, "encountered extra tag");
+
 		flags = anode_def_flags (node);
 		tag = anode_calc_tag_for_flags (node, flags);
 
@@ -1205,6 +1211,7 @@ anode_decode_anything (GNode *node,
 			if (next == NULL)
 				return anode_failure (node, "decoded tag did not match expected");
 
+			prev = node;
 			node = next;
 			continue;
 		}
@@ -1213,6 +1220,7 @@ anode_decode_anything (GNode *node,
 			return FALSE;
 
 		/* Next node and tag */
+		prev = node;
 		node = g_node_next_sibling (node);
 		tlv = tlv->next;
 	}