From 9b79d8643e8ca821597aa56c1553c11e9c1a8361 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Mon, 7 Mar 2016 14:20:37 -0800
Subject: [PATCH] Added checks for total length and the cert policy OID len to
 make sure they don't exceed buffer.

---
 wolfcrypt/src/asn.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 29ce32f32..45664d696 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -4608,6 +4608,12 @@ static int DecodePolicyOID(char *out, word32 outSz, byte *in, word32 inSz)
             WOLFSSL_MSG("\tGet CertPolicy total seq failed");
             return ASN_PARSE_E;
         }
+        
+        /* Validate total length (2 is the CERT_POLICY_OID+SEQ) */
+        if ((total_length + 2) != sz) {
+            WOLFSSL_MSG("\tCertPolicy length mismatch");
+            return ASN_PARSE_E;
+        }
 
         /* Unwrap certificatePolicies */
         do {
@@ -4629,6 +4635,12 @@ static int DecodePolicyOID(char *out, word32 outSz, byte *in, word32 inSz)
             policy_length--;
 
             if (length > 0) {
+                /* Verify length won't overrun buffer */
+                if (length > (sz - (int)idx)) {
+                    WOLFSSL_MSG("\tCertPolicy length exceeds input buffer");
+                    return ASN_PARSE_E;
+                }
+
     #if defined(WOLFSSL_SEP)
                 cert->deviceType = (byte*)XMALLOC(length, cert->heap,
                                                   DYNAMIC_TYPE_X509_EXT);