1 files changed, 55 insertions, 0 deletions

diff --git a/main/libtasn1/CVE-2015-2806.patch b/main/libtasn1/CVE-2015-2806.patch
new file mode 100644
index 0000000000..43ba6e4b89
--- /dev/null
+++ b/main/libtasn1/CVE-2015-2806.patch
@@ -0,0 +1,55 @@
+From 4d4f992826a4962790ecd0cce6fbba4a415ce149 Mon Sep 17 00:00:00 2001
+From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
+Date: Thu, 26 Mar 2015 18:34:57 +0100
+Subject: [PATCH] increased size of LTOSTR_MAX_SIZE to account for sign and null byte
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+This address an overflow found by Hanno Böck in DER decoding.
+---
+ lib/parser_aux.c |    4 ++--
+ lib/parser_aux.h |    5 +++--
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/lib/parser_aux.c b/lib/parser_aux.c
+index d3e9009..da9a388 100644
+--- a/lib/parser_aux.c
++++ b/lib/parser_aux.c
+@@ -543,7 +543,7 @@ _asn1_delete_list_and_nodes (void)
+ 
+ 
+ char *
+-_asn1_ltostr (long v, char *str)
++_asn1_ltostr (long v, char str[LTOSTR_MAX_SIZE])
+ {
+   long d, r;
+   char temp[LTOSTR_MAX_SIZE];
+@@ -567,7 +567,7 @@ _asn1_ltostr (long v, char *str)
+       count++;
+       v = d;
+     }
+-  while (v);
++  while (v && ((start+count) < LTOSTR_MAX_SIZE-1));
+ 
+   for (k = 0; k < count; k++)
+     str[k + start] = temp[start + count - k - 1];
+diff --git a/lib/parser_aux.h b/lib/parser_aux.h
+index 55d9061..437f1c8 100644
+--- a/lib/parser_aux.h
++++ b/lib/parser_aux.h
+@@ -52,8 +52,9 @@ void _asn1_delete_list (void);
+ 
+ void _asn1_delete_list_and_nodes (void);
+ 
+-#define LTOSTR_MAX_SIZE 20
+-char *_asn1_ltostr (long v, char *str);
++/* Max 64-bit integer length is 20 chars + 1 for sign + 1 for null termination */
++#define LTOSTR_MAX_SIZE 22
++char *_asn1_ltostr (long v, char str[LTOSTR_MAX_SIZE]);
+ 
+ asn1_node _asn1_find_up (asn1_node node);
+ 
+-- 
+1.7.2.5
+