diff --git a/src/tls13.c b/src/tls13.c index f3efec0fdc..e026add383 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -8770,8 +8770,8 @@ static word32 NextCert(byte* data, word32 length, word32* idx) { word32 len; - /* Is index at end of list. */ - if (*idx == length) + /* Would index read past end of list? */ + if (*idx + 3 > length) return 0; /* Length of the current ASN.1 encoded certificate. */ @@ -8779,6 +8779,10 @@ static word32 NextCert(byte* data, word32 length, word32* idx) /* Include the length field. */ len += 3; + /* Ensure len does not overrun certificate list */ + if (*idx + len > length) + return 0; + /* Move index to next certificate and return the current certificate's * length. */