From 3d9181d7bdd8e491f745dbc9e34bd20b6f6da069 Mon Sep 17 00:00:00 2001
From: Gergely Nagy <ngg@tresorit.com>
Date: Wed, 14 Dec 2016 13:19:01 +0100
Subject: [PATCH] Fix possible DoS in ASN.1 decoders (CVE-2016-9939)

---
 asn.cpp | 10 ++++++++++
 asn.h   |  2 ++
 2 files changed, 12 insertions(+)

diff --git a/asn.cpp b/asn.cpp
index 297ff01..2e923ef 100644
--- a/asn.cpp
+++ b/asn.cpp
@@ -122,6 +122,8 @@ size_t BERDecodeOctetString(BufferedTran
 	size_t bc;
 	if (!BERLengthDecode(bt, bc))
 		BERDecodeError();
+	if (bc > bt.MaxRetrievable())
+		BERDecodeError();
 
 	str.resize(bc);
 	if (bc != bt.Get(str, bc))
@@ -138,6 +140,8 @@ size_t BERDecodeOctetString(BufferedTransformation &bt, BufferedTransformation &
 	size_t bc;
 	if (!BERLengthDecode(bt, bc))
 		BERDecodeError();
+	if (bc > bt.MaxRetrievable())
+		BERDecodeError();
 
 	bt.TransferTo(str, bc);
 	return bc;
@@ -160,6 +164,8 @@ size_t BERDecodeTextString(BufferedTransformation &bt, std::string &str, byte as
 	size_t bc;
 	if (!BERLengthDecode(bt, bc))
 		BERDecodeError();
+	if (bc > bt.MaxRetrievable())
+		BERDecodeError();
 
 	SecByteBlock temp(bc);
 	if (bc != bt.Get(temp, bc))
@@ -187,6 +193,10 @@ size_t BERDecodeBitString(BufferedTransformation &bt, SecByteBlock &str, unsigne
 	size_t bc;
 	if (!BERLengthDecode(bt, bc))
 		BERDecodeError();
+	if (bc == 0)
+		BERDecodeError();
+	if (bc > bt.MaxRetrievable())
+		BERDecodeError();
 
 	byte unused;
 	if (!bt.Get(unused))
diff --git a/asn.h b/asn.h
index ed9de52..33f0dd0 100644
--- a/asn.h
+++ b/asn.h
@@ -332,6 +332,8 @@ void BERDecodeUnsigned(BufferedTransform
 
 	size_t bc;
 	BERLengthDecode(in, bc);
+	if (bc > in.MaxRetrievable())
+		BERDecodeError();
 
 	SecByteBlock buf(bc);