[erlang-patches] ASN.1 Long Definite Length
Vance Shipley
vances@REDACTED
Mon May 16 05:59:33 CEST 2011
While looking into this problem I believe I have spotted another
small bug. The while loop will result in memory beyond the end
of the input buffer being read. The attached patch to the existing
file corrects this.
On Sun, May 15, 2011 at 07:19:20AM +0530, Vance Shipley wrote:
} The asn1_erl_driver driver does not perform adequate bounds
} checking in the case where the length value of a TLV is a
} Long Definite Length.
--
-Vance
-------------- next part --------------
--- lib/asn1/c_src/asn1_erl_driver.c
+++ lib/asn1/c_src/asn1_erl_driver.c
@@ -1294,7 +1294,7 @@
printf("decode_value,lenoflen:%d\r\n",lenoflen);
#endif
len = 0;
- while (lenoflen-- && (*ib_index <= in_buf_len)) {
+ while (lenoflen-- && (*ib_index < in_buf_len)) {
(*ib_index)++;
#ifdef ASN1_DEBUG
printf("decode_value1:ii=%d.\r\n",*ib_index);
More information about the erlang-patches
mailing list