From 8cc279ed74dc0b16a187052d2454c26c8c6ecaf2 Mon Sep 17 00:00:00 2001 From: AnotherTest Date: Mon, 8 Mar 2021 10:50:40 +0330 Subject: [PATCH] LibCrypto: Fail with overflow when bitfield has too many unused bits There cannot be more unused bits than the entirety of the input. Found by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31706#c1 --- Userland/Libraries/LibCrypto/ASN1/DER.cpp | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/Userland/Libraries/LibCrypto/ASN1/DER.cpp b/Userland/Libraries/LibCrypto/ASN1/DER.cpp index 1fcbbc113b..d09c7ee87e 100644 --- a/Userland/Libraries/LibCrypto/ASN1/DER.cpp +++ b/Userland/Libraries/LibCrypto/ASN1/DER.cpp @@ -196,7 +196,12 @@ Result Decoder::decode_bit_string(ReadonlyBytes d return DecodeError::InvalidInputFormat; auto unused_bits = data[0]; - return BitmapView { const_cast(data.offset_pointer(1)), data.size() * 8 - unused_bits }; + auto total_size_in_bits = data.size() * 8; + + if (unused_bits > total_size_in_bits) + return DecodeError::Overflow; + + return BitmapView { const_cast(data.offset_pointer(1)), total_size_in_bits - unused_bits }; } Result Decoder::peek()