Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.420 (Entity 5.420)
From: tlyu@mit.edu
Subject: SVN Commit
X-RT-Original-Encoding: iso-8859-1
Content-Length: 614


asn1buf_imbed() can perform pointer arithmetic that causes the "bound"
pointer of the subbuffer to be less than the "next" pointer.  This can
lead to malloc() failure or crash.

In asn1buf_imbed(), check the length before doing arithmetic to set
subbuf->bound.  In asn1buf_remove_octetstring() and
asn1buf_remove_charstring(), check for invalid buffer pointers before
executing an unsigned length check against a (casted to size_t)
negative number.

https://github.com/krb5/krb5/commit/9024676102cbd24d08f41fa3de7761d64f13db4d
Commit By: tlyu
Revision: 22175
Changed Files:
U   trunk/src/lib/krb5/asn.1/asn1buf.c