From cc722468be359a6386a87dd1bd44f0b4997ce3fc Mon Sep 17 00:00:00 2001
From: John Safranek <john@wolfssl.com>
Date: Wed, 27 Nov 2019 10:43:51 -0800
Subject: [PATCH] Maintenance: ASN.1 1. Add an additional check in
 GetCertHeader() to see that sigIndex is bounded by maxIdx.

---
 wolfcrypt/src/asn.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index a5c2ccac6..c2f12a10b 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -4553,7 +4553,10 @@ static int GetCertHeader(DecodedCert* cert)
 
     if (GetSequence(cert->source, &cert->srcIdx, &len, cert->maxIdx) < 0)
         return ASN_PARSE_E;
+
     cert->sigIndex = len + cert->srcIdx;
+    if (cert->sigIndex > cert->maxIdx)
+        return ASN_PARSE_E;
 
     if (GetExplicitVersion(cert->source, &cert->srcIdx, &cert->version,
                                                             cert->sigIndex) < 0)