Fix other occurrences of same bounds check issue

Security impact is the same: not triggerrable remotely except in very specific use cases
2025-08-01 10:06:53 +03:00 · 2015-10-21 12:23:09 +02:00
parent 22c3b7b9da
commit 4dc9b394d3
2 changed files with 5 additions and 2 deletions
--- a/library/x509_create.c
+++ b/library/x509_create.c
@ -259,13 +259,16 @@ int mbedtls_x509_write_sig( unsigned char **p, unsigned char *start,
    int ret;
    size_t len = 0;

-    if( *p - start < (int) size + 1 )
+    if( *p < start || (size_t)( *p - start ) < size )
        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );

    len = size;
    (*p) -= len;
    memcpy( *p, sig, len );

+    if( *p - start < 1 )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
    *--(*p) = 0;
    len += 1;