From a3fca3447100de5f02b52b2b4b47edba2c3810dc Mon Sep 17 00:00:00 2001
From: Guido Vranken <guidovranken@gmail.com>
Date: Thu, 14 Nov 2019 03:19:07 +0100
Subject: [PATCH] Properly limit array access in OCSP response decoder

---
 wolfcrypt/src/asn.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index fe031c619..ed557db70 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -14799,7 +14799,7 @@ static int GetEnumerated(const byte* input, word32* inOutIdx, int *value,
         return BUFFER_E;
 
     len = input[idx++];
-    if (len > 4 || (int)len > sz)
+    if (len > 4 || (int)(len + idx) > sz)
         return ASN_PARSE_E;
 
     while (len--) {
@@ -14859,6 +14859,9 @@ static int DecodeSingleResponse(byte* source,
     if (GetSerialNumber(source, &idx, cs->serial, &cs->serialSz, size) < 0)
         return ASN_PARSE_E;
 
+    if ( idx >= size )
+        return BUFFER_E;
+
     /* CertStatus */
     switch (source[idx++])
     {