From 5d8b3148e99c4fe6ab398c8ce8f1348ce0236e78 Mon Sep 17 00:00:00 2001 From: Adam Langley Date: Mon, 29 Feb 2016 08:01:05 -0800 Subject: Fix encoding bug in i2c_ASN1_INTEGER MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit (Imported from upstream's 3661bb4e7934668bd99ca777ea8b30eedfafa871.) Fix bug where i2c_ASN1_INTEGER mishandles zero if it is marked as negative. Thanks to Huzaifa Sidhpurwala and Hanno Böck for reporting this issue. BUG=590615 Ticket: CYNGNOS-3020 (cherry-picked from c4eec0c16b02c97a62a95b6a08656c3a9ddb6baa) Bug: 28175332 Change-Id: I8959e8ae01510a5924862a3f353be23130eee554 Reviewed-on: https://boringssl-review.googlesource.com/7199 Reviewed-by: David Benjamin (cherry picked from commit 33ce65e3fe4122e5f83e97bae4b110398a024002) --- src/crypto/asn1/a_int.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/crypto/asn1/a_int.c b/src/crypto/asn1/a_int.c index 2ecccc5..16b8950 100644 --- a/src/crypto/asn1/a_int.c +++ b/src/crypto/asn1/a_int.c @@ -125,6 +125,8 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp) { ret=a->length; i=a->data[0]; + if (ret == 1 && i == 0) + neg=0; if (!neg && (i > 127)) { pad=1; pb=0; @@ -158,7 +160,7 @@ int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp) p += a->length - 1; i = a->length; /* Copy zeros to destination as long as source is zero */ - while(!*n) { + while(!*n && i > 1) { *(p--) = 0; n--; i--; -- cgit v1.1