From 6be61daac047d8e6aa941eb103f8e71a1d4e3c75 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Tue, 3 May 2016 16:01:09 +0200
Subject: [PATCH] Fix an OOB read access in _ksba_dn_to_str.

* src/dn.c (append_utf8_value): Use a straightforward check to fix an
off-by-one.
--

The old fix for the problem from April 2015 had an off-by-one in the
bad encoding handing.

Fixes-commit: 243d12fdec66a4360fbb3e307a046b39b5b4ffc3
GnuPG-bug-id: 2344
Reported-by: Pascal Cuoq
Signed-off-by: Werner Koch <wk@gnupg.org>
---
 src/dn.c | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/src/dn.c b/src/dn.c
index d207bf0..cea18a1 100644
--- a/src/dn.c
+++ b/src/dn.c
@@ -332,11 +332,8 @@ append_utf8_value (const unsigned char *value, size_t length,
         }
       else
         {
-          if (n+nmore > length)
-            nmore = length - n; /* Oops, encoding to short */
-
           tmp[0] = *s++; n++;
-          for (i=1; i <= nmore; i++)
+          for (i=1; n < length && i <= nmore; i++)
             {
               if ( (*s & 0xc0) != 0x80)
                 break; /* Invalid encoding - let the next cycle detect this. */
-- 
2.8.1