Fix Potential ASN1 Buffer Overflows in EnterContainer() and DecodeHead()

project-chip · Jun 13, 2022 · 554850d · 554850d
1 parent 8cbfd2f
commit 554850d
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/src/lib/asn1/ASN1Reader.cpp b/src/lib/asn1/ASN1Reader.cpp
@@ -1,6 +1,6 @@
 /*
  *
- *    Copyright (c) 2020-2021 Project CHIP Authors
+ *    Copyright (c) 2020-2022 Project CHIP Authors
  *    Copyright (c) 2013-2017 Nest Labs, Inc.
  *    All rights reserved.
  *
@@ -113,6 +113,7 @@ CHIP_ERROR ASN1Reader::EnterContainer(uint32_t offset)
     mElemStart = Value + offset;
     if (!IndefiniteLen)
     {
+        VerifyOrReturnError(mBufEnd - Value >= ValueLen, ASN1_ERROR_VALUE_OVERFLOW);
         mContainerEnd = Value + ValueLen;
     }
 
@@ -303,8 +304,8 @@ CHIP_ERROR ASN1Reader::DecodeHead()
         IndefiniteLen = false;
     }
 
+    VerifyOrReturnError(mBufEnd - p >= ValueLen, ASN1_ERROR_VALUE_OVERFLOW);
     VerifyOrReturnError(CanCastTo<uint32_t>(p - mElemStart), ASN1_ERROR_VALUE_OVERFLOW);
-
     mHeadLen = static_cast<uint32_t>(p - mElemStart);
 
     EndOfContents = (Class == kASN1TagClass_Universal && Tag == 0 && !Constructed && ValueLen == 0);