RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 23:07:35 +00:00
Code Issues Activity Actions

LibCrypto: Fix bound checks when reading bitmaps

Browse source 
This only affects malformed RSA keys. Instead of accepting and
continuing with potentially broken pointers (and in ASAN, crashing), we
now consider bitmaps malformed, and stop parsing.

Found by OSS Fuzz: #31698, long-standing-bug:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31698

Fun fact: The "if" only exists because of OSS Fuzz.
8cc279ed74
This commit is contained in:
Ben Wiederhake 2021-05-30 18:44:06 +02:00 committed by Ali Mohammad Pur
parent 3e0266c9e9
commit 05d49cc0cb
2 changed files with 1 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Userland/Libraries/LibCrypto/ASN1/DER.cpp
View file

@ -176,7 +176,7 @@ Result<const BitmapView, DecodeError> Decoder::decode_bit_string(ReadonlyBytes d
return DecodeError::InvalidInputFormat;
auto unused_bits = data[0];
auto total_size_in_bits = data.size() * 8;
auto total_size_in_bits = (data.size() - 1) * 8;
if (unused_bits > total_size_in_bits)
return DecodeError::Overflow;

3
Userland/Libraries/LibCrypto/PK/RSA.h
View file

@ -31,8 +31,6 @@ public:
{
}
//--stuff it should do
const Integer& modulus() const { return m_modulus; }
const Integer& public_exponent() const { return m_public_exponent; }
size_t length() const { return m_length; }
@ -66,7 +64,6 @@ public:
{
}
//--stuff it should do
const Integer& modulus() const { return m_modulus; }
const Integer& private_exponent() const { return m_private_exponent; }
const Integer& public_exponent() const { return m_public_exponent; }