Blame SOURCES/opensc-0.20.0-CVE-2020-26570.patch
|
|
ab1581 |
commit 6903aebfddc466d966c7b865fae34572bf3ed23e
|
|
|
ab1581 |
Author: Frank Morgner <frankmorgner@gmail.com>
|
|
|
ab1581 |
Date: Thu Jul 30 02:21:17 2020 +0200
|
|
|
ab1581 |
|
|
|
ab1581 |
Heap-buffer-overflow WRITE
|
|
|
ab1581 |
|
|
|
ab1581 |
fixes https://oss-fuzz.com/testcase-detail/5088104168554496
|
|
|
ab1581 |
|
|
|
ab1581 |
diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
|
|
|
ab1581 |
index a873aaa0..2fb32b8d 100644
|
|
|
ab1581 |
--- a/src/libopensc/pkcs15-oberthur.c
|
|
|
ab1581 |
+++ b/src/libopensc/pkcs15-oberthur.c
|
|
|
ab1581 |
@@ -271,11 +271,15 @@ sc_oberthur_read_file(struct sc_pkcs15_card *p15card, const char *in_path,
|
|
|
ab1581 |
rv = sc_read_binary(card, 0, *out, sz, 0);
|
|
|
ab1581 |
}
|
|
|
ab1581 |
else {
|
|
|
ab1581 |
- int rec;
|
|
|
ab1581 |
- int offs = 0;
|
|
|
ab1581 |
- int rec_len = file->record_length;
|
|
|
ab1581 |
+ size_t rec;
|
|
|
ab1581 |
+ size_t offs = 0;
|
|
|
ab1581 |
+ size_t rec_len = file->record_length;
|
|
|
ab1581 |
|
|
|
ab1581 |
for (rec = 1; ; rec++) {
|
|
|
ab1581 |
+ if (rec > file->record_count) {
|
|
|
ab1581 |
+ rv = 0;
|
|
|
ab1581 |
+ break;
|
|
|
ab1581 |
+ }
|
|
|
ab1581 |
rv = sc_read_record(card, rec, *out + offs + 2, rec_len, SC_RECORD_BY_REC_NR);
|
|
|
ab1581 |
if (rv == SC_ERROR_RECORD_NOT_FOUND) {
|
|
|
ab1581 |
rv = 0;
|