neels has uploaded this change for review. ( https://gerrit.osmocom.org/c/libasn1c/+/37984?usp=email )
Change subject: coverity CID#57681
......................................................................
coverity CID#57681
Make sure that bits_unused cannot subtract more bits than present in
st->size.
Especially when st->size == 0, this ensures that sizeinunits is also 0,
and that a st->size == 0 hence never enters the while (sizeinunits)
loop.
Change-Id: Ic8e3f5e24541989b79826de2942e5e6560079028
---
M src/OCTET_STRING.c
1 file changed, 9 insertions(+), 1 deletion(-)
git pull ssh://gerrit.osmocom.org:29418/libasn1c refs/changes/84/37984/1
diff --git a/src/OCTET_STRING.c b/src/OCTET_STRING.c
index 3e424e7..9d2e817 100644
--- a/src/OCTET_STRING.c
+++ b/src/OCTET_STRING.c
@@ -1859,6 +1859,7 @@
unsigned int unit_bits;
unsigned int canonical_unit_bits;
unsigned int sizeinunits;
+ unsigned int unused;
const uint8_t *buf;
int ret;
enum {
@@ -1888,7 +1889,11 @@
case ASN_OSUBV_BIT:
canonical_unit_bits = unit_bits = 1;
bpc = OS__BPC_BIT;
- sizeinunits = st->size * 8 - (st->bits_unused & 0x07);
+ sizeinunits = st->size * 8;
+ /* make sure sizeinunits cannot wrap past zero (especially when st->size == 0). */
+ unused = st->bits_unused & 0x07;
+ if (unused <= sizeinunits)
+ sizeinunits -= unused;
ASN_DEBUG("BIT STRING of %d bytes",
sizeinunits);
break;
@@ -1994,6 +1999,9 @@
maySave, bpc, unit_bits,
cval->lower_bound, cval->upper_bound, pc);
} else {
+ /* coverity CID#57681: st->buf can be NULL, but above, we've verified that when st->buf == NULL,
+ * then also st->size == 0, and hence sizeinunits == 0, hence this 'while' will skip entirely,
+ * and hence it is safe to dereference buf here. */
ret = per_put_many_bits(po, buf, maySave * unit_bits);
}
if(ret) _ASN_ENCODE_FAILED;
--
To view, visit https://gerrit.osmocom.org/c/libasn1c/+/37984?usp=email
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings?usp=email
Gerrit-MessageType: newchange
Gerrit-Project: libasn1c
Gerrit-Branch: master
Gerrit-Change-Id: Ic8e3f5e24541989b79826de2942e5e6560079028
Gerrit-Change-Number: 37984
Gerrit-PatchSet: 1
Gerrit-Owner: neels <nhofmeyr(a)sysmocom.de>
