From e6c48327c17309e2cc5ccfb3e7eeb3eb3bc674e6 Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Wed, 11 Sep 2019 09:27:51 -0600
Subject: [PATCH] sanity check on length before read

---
 wolfcrypt/src/asn.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 18787949a..3b2fcd82f 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -8036,7 +8036,13 @@ static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap,
                                                                   certSz) < 0) {
                         ret = ASN_PARSE_E;
                     }
+
+                    if (ret == 0) {
+                        if ((extIdx + 1) > certSz)
+                            ret = BUFFER_E;
+                    }
                 }
+
                 if (ret == 0) {
                     if (cert[extIdx] == ASN_BOOLEAN) {
                         if (GetBoolean(cert, &extIdx, certSz) < 0)
@@ -8055,6 +8061,9 @@ static int CheckCertSignature_ex(const byte* cert, word32 certSz, void* heap,
                         if (GetSequence(cert, &extIdx, &extLen, certSz) < 0)
                             ret = ASN_PARSE_E;
 
+                        if (ret == 0 && extIdx + 1 < certSz)
+                            ret = BUFFER_E;
+
                         if (ret == 0 &&
                                  cert[extIdx++] == (ASN_CONTEXT_SPECIFIC | 0)) {
                             if (GetLength(cert, &extIdx, &extLen, certSz) <= 0)