From ed93d5f01d7c118c9f6ded65495b9787a9c80fee Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Mon, 8 Jul 2019 19:33:50 +0200
Subject: encode_ber_digest_info: added sanity check

Issue found using oss-fuzz:
 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15665

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 .../5b24d9a0bdb049a203a1fac98d2854bbc6062195             | Bin 0 -> 1394 bytes
 lib/pk.c                                                 |   4 ++++
 2 files changed, 4 insertions(+)
 create mode 100644 fuzz/gnutls_x509_verify_fuzzer.repro/5b24d9a0bdb049a203a1fac98d2854bbc6062195

diff --git a/fuzz/gnutls_x509_verify_fuzzer.repro/5b24d9a0bdb049a203a1fac98d2854bbc6062195 b/fuzz/gnutls_x509_verify_fuzzer.repro/5b24d9a0bdb049a203a1fac98d2854bbc6062195
new file mode 100644
index 0000000000..86b66c022c
Binary files /dev/null and b/fuzz/gnutls_x509_verify_fuzzer.repro/5b24d9a0bdb049a203a1fac98d2854bbc6062195 differ
diff --git a/lib/pk.c b/lib/pk.c
index 1887063eb0..debcc2ac09 100644
--- a/lib/pk.c
+++ b/lib/pk.c
@@ -598,6 +598,10 @@ encode_ber_digest_info(const mac_entry_st * e,
 	uint8_t *tmp_output;
 	int tmp_output_size;
 
+	/* prevent asn1_write_value() treating input as string */
+	if (digest->size == 0)
+		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
+
 	algo = _gnutls_x509_mac_to_oid(e);
 	if (algo == NULL) {
 		gnutls_assert();
-- 
cgit v1.2.1