Google Git
Sign in
flutter/third_party/libtasn1/refs/heads/tmp-add-encoding-fuzzer^!/.
commit
33d45ff3e817ef5282923ff4076b8a27aa6ce7fb
[log]
author
Tim Rühsen <tim.ruehsen@gmx.de>
Thu Aug 01 15:37:23 2019 +0200
committer
Tim Rühsen <tim.ruehsen@gmx.de>
Fri Aug 02 17:31:42 2019 +0200
tree
039a09cfc50f333002d7f7fe13d562e953ba0bcc
parent
001c37b94df36e7a535fa312570aaacb0652ba4c [diff]
Fix endless loop resulting in OOM

This was detected by libtasn1_encoding_fuzzer with the following input:

TEST_TREE { }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
Koko ::= SEQUENCE {
  x ?L
}
END

Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>

diff --git a/lib/structure.c b/lib/structure.c
index 8189c56..2a3cfa0 100644
--- a/lib/structure.c
+++ b/lib/structure.c

@@ -578,8 +578,8 @@
 _asn1_expand_identifier (asn1_node * node, asn1_node_const root)
 {
   asn1_node p, p2, p3;
-  char name2[ASN1_MAX_NAME_SIZE + 2];
-  int move;
+  char name2[ASN1_MAX_NAME_SIZE + 2], prevname[ASN1_MAX_NAME_SIZE + 2] = "";
+  int move, tries = 0;
 
   if (node == NULL)
     return ASN1_ELEMENT_NOT_FOUND;
@@ -594,6 +594,17 @@
 	  if (type_field (p->type) == ASN1_ETYPE_IDENTIFIER)
 	    {
 	      snprintf (name2, sizeof (name2), "%s.%s", root->name, p->value);
+	      if (strcmp (name2, prevname))
+		{
+		  strcpy (prevname, name2);
+		  tries = 0;
+		}
+	      else
+		{
+		  // error if same name was used too often in a row
+		  if (++tries >= EXPAND_OBJECT_ID_MAX_RECURSION)
+		    return ASN1_RECURSION;
+		}
 	      p2 = _asn1_copy_structure2 (root, name2);
 	      if (p2 == NULL)
 		{