Skip to content

Detect overflow when decoding DER variable-length integers#9537

Open
basavaraj-sm05 wants to merge 1 commit into
square:masterfrom
basavaraj-sm05:der-varlong-overflow
Open

Detect overflow when decoding DER variable-length integers#9537
basavaraj-sm05 wants to merge 1 commit into
square:masterfrom
basavaraj-sm05:der-varlong-overflow

Conversation

@basavaraj-sm05

Copy link
Copy Markdown

DerReader decodes ASN.1 variable-length integers for OBJECT IDENTIFIER subidentifiers and high-number tags, building the value up with a shift left of 7 per continuation byte. That accumulation had no overflow guard (it carried a // TODO: detect overflow), so a subidentifier padded with enough continuation bytes silently wraps a Long and the shift can flip the sign. I ran into it decoding a certificate whose OID had an over-long arc: instead of rejecting the input, readObjectIdentifier handed back a bogus arc like 2.9223372036854775728 produced by the wrapped arithmetic. Since these bytes come straight off an untrusted certificate, quietly turning a malformed OID into a real-looking one seemed worth closing off. This throws a ProtocolException once the running value no longer fits in a Long, the same way the length decoder just above already rejects a length past Long.MAX_VALUE. Values up to Long.MAX_VALUE still decode exactly as before, and there's a regression test for the overflowing case.

@yschimke yschimke left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants