Fix integer overflow in ASN.1 parsing functions. Bug: 6274291 Change-Id: Id0850ce39aebfc9018c0459ec3147e05506a646f

commit: 243c891739b450bb831aabcd5cd601da4828cd25 [log] [tgz]
author: Brian Carlstrom <[email protected]> Mon Apr 02 12:21:18 2012 -0700
committer: Brian Carlstrom <[email protected]> Mon Apr 02 12:21:47 2012 -0700
tree: f5d063c088807812ce7776dc1d8c423065622091
parent: 26674baf1ef727d9c0f12939c08ea90b56f65c26 [diff] [blame]
diff --git a/crypto/mem.c b/crypto/mem.c
index 8f736c3..21c0011 100644
--- a/crypto/mem.c
+++ b/crypto/mem.c

@@ -363,6 +363,10 @@
 
 	if (num <= 0) return NULL;
 
+	/* We don't support shrinking the buffer. Note the memcpy that copies
+	 * |old_len| bytes to the new buffer, below. */
+	if (num < old_len) return NULL;
+
 	if (realloc_debug_func != NULL)
 		realloc_debug_func(str, NULL, num, file, line, 0);
 	ret=malloc_ex_func(num,file,line);
commit	243c891739b450bb831aabcd5cd601da4828cd25	[log] [tgz]
author	Brian Carlstrom <[email protected]>	Mon Apr 02 12:21:18 2012 -0700
committer	Brian Carlstrom <[email protected]>	Mon Apr 02 12:21:47 2012 -0700
tree	f5d063c088807812ce7776dc1d8c423065622091
parent	26674baf1ef727d9c0f12939c08ea90b56f65c26 [diff] [blame]