From 7077781af53ebfc114b3a6b3c1ef7edce78a89c6 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Thu, 21 Sep 2023 16:50:40 +0200
Subject: [PATCH] Fix integer overflow with an input buffer larger than INT_MAX

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 library/x509_create.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/library/x509_create.c b/library/x509_create.c
index b6895bf0a2..2bea28ee9f 100644
--- a/library/x509_create.c
+++ b/library/x509_create.c
@@ -208,7 +208,7 @@ static int parse_attribute_value_string(const char *s,
  *                  contains a null byte.
  */
 static int parse_attribute_value_hex_der_encoded(const char *s,
-                                                 int len,
+                                                 size_t len,
                                                  unsigned char *data,
                                                  size_t *data_len,
                                                  int *tag)
@@ -308,10 +308,12 @@ int mbedtls_x509_string_to_names(mbedtls_asn1_named_data **head, const char *nam
                 mbedtls_free(oid.p);
                 return MBEDTLS_ERR_X509_INVALID_NAME;
             } else if (*s == '#') {
-                if ((parse_ret =
-                         parse_attribute_value_hex_der_encoded(s + 1, (int) (c - s - 1),
-                                                               data, &data_len,
-                                                               &tag)) != 0) {
+                /* We know that c >= s (loop invariant) and c != s (in this
+                 * else branch), hence c - s - 1 >= 0. */
+                parse_ret = parse_attribute_value_hex_der_encoded(
+                    s + 1, c - s - 1,
+                    data, &data_len, &tag);
+                if (parse_ret != 0) {
                     mbedtls_free(oid.p);
                     return MBEDTLS_ERR_X509_INVALID_NAME;
                 }