From 1766b91dc2ff7f20b986d3fa8a0fc34cbdf790e1 Mon Sep 17 00:00:00 2001 From: Ruby Martin Date: Wed, 25 Mar 2026 15:23:32 -0600 Subject: [PATCH] check idx before accessing certificate list --- src/tls13.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/tls13.c b/src/tls13.c index f3efec0fdc..e026add383 100644 --- a/src/tls13.c +++ b/src/tls13.c @@ -8770,8 +8770,8 @@ static word32 NextCert(byte* data, word32 length, word32* idx) { word32 len; - /* Is index at end of list. */ - if (*idx == length) + /* Would index read past end of list? */ + if (*idx + 3 > length) return 0; /* Length of the current ASN.1 encoded certificate. */ @@ -8779,6 +8779,10 @@ static word32 NextCert(byte* data, word32 length, word32* idx) /* Include the length field. */ len += 3; + /* Ensure len does not overrun certificate list */ + if (*idx + len > length) + return 0; + /* Move index to next certificate and return the current certificate's * length. */