From 05d49cc0cbb66e065856fd696af044d9c8a0fea9 Mon Sep 17 00:00:00 2001 From: Ben Wiederhake Date: Sun, 30 May 2021 18:44:06 +0200 Subject: [PATCH] LibCrypto: Fix bound checks when reading bitmaps This only affects malformed RSA keys. Instead of accepting and continuing with potentially broken pointers (and in ASAN, crashing), we now consider bitmaps malformed, and stop parsing. Found by OSS Fuzz: #31698, long-standing-bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31698 Fun fact: The "if" only exists because of OSS Fuzz. 8cc279ed74dc0b16a187052d2454c26c8c6ecaf2 --- Userland/Libraries/LibCrypto/ASN1/DER.cpp | 2 +- Userland/Libraries/LibCrypto/PK/RSA.h | 3 --- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/Userland/Libraries/LibCrypto/ASN1/DER.cpp b/Userland/Libraries/LibCrypto/ASN1/DER.cpp index 1a411e35a3..5c443e8ec6 100644 --- a/Userland/Libraries/LibCrypto/ASN1/DER.cpp +++ b/Userland/Libraries/LibCrypto/ASN1/DER.cpp @@ -176,7 +176,7 @@ Result Decoder::decode_bit_string(ReadonlyBytes d return DecodeError::InvalidInputFormat; auto unused_bits = data[0]; - auto total_size_in_bits = data.size() * 8; + auto total_size_in_bits = (data.size() - 1) * 8; if (unused_bits > total_size_in_bits) return DecodeError::Overflow; diff --git a/Userland/Libraries/LibCrypto/PK/RSA.h b/Userland/Libraries/LibCrypto/PK/RSA.h index c598100da5..137f1f2f5f 100644 --- a/Userland/Libraries/LibCrypto/PK/RSA.h +++ b/Userland/Libraries/LibCrypto/PK/RSA.h @@ -31,8 +31,6 @@ public: { } - //--stuff it should do - const Integer& modulus() const { return m_modulus; } const Integer& public_exponent() const { return m_public_exponent; } size_t length() const { return m_length; } @@ -66,7 +64,6 @@ public: { } - //--stuff it should do const Integer& modulus() const { return m_modulus; } const Integer& private_exponent() const { return m_private_exponent; } const Integer& public_exponent() const { return m_public_exponent; }