From babfbabaf9591288956f3b8faedb99bcd0f39b7e Mon Sep 17 00:00:00 2001
From: leitner <leitner>
Date: Sat, 19 Apr 2014 10:46:59 +0000
Subject: [PATCH] reject non-minimally encoded integers

---
 scan_asn1rawint.c | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/scan_asn1rawint.c b/scan_asn1rawint.c
index 6f6f676..e6a18ab 100644
--- a/scan_asn1rawint.c
+++ b/scan_asn1rawint.c
@@ -1,17 +1,21 @@
 #include "asn1.h"
 
 size_t scan_asn1rawint(const char* src,const char* max,size_t len,long* l) {
-  size_t i,j;
+  size_t i;
   long m;
-  if (src>=max) return 0;
-  if (*src<0) m=-1; else m=0;
-  for (i=j=0; i<len; ++i,++j) {
-    if ((m==0 && *src==0) || (m==-1 && *src==-1)) --j;
-    m=(m<<8)|(unsigned char)*src;
-    ++src;
-    if (src>max) return 0;
+  if (src>=max) return 0;		// 0 bytes input buffer
+  if (*src<0) m=-1; else m=0;		// negative number?
+  if (len>1 && *src==m) {
+    // we want to catch things like 00 01
+    // but a leading 0 byte is needed for 00 a0 because otherwise it would be -96
+    if ((src[1]>>7)==m) return 0;	// non-minimal encoding
+    if (len>sizeof(m)+1) return 0;	// value too large, does not fit
+  } else
+    if (len>sizeof(m)) return 0;	// value too large, does not fit
+  if (src+i>=max) return 0;		// input buffer not sufficient
+  for (i=0; i<len; ++i) {
+    m=(m<<8)|(unsigned char)src[i];
   }
-  if (j>sizeof(long)) return 0;
   *l=m;
   return len;
 }