diff -u -r libtasn1-2.14.orig/lib/decoding.c libtasn1-2.14/lib/decoding.c --- libtasn1-2.14.orig/lib/decoding.c 2012-09-13 01:16:23.000000000 -0500 +++ libtasn1-2.14/lib/decoding.c 2014-06-05 16:42:36.495243018 -0500 @@ -149,7 +149,7 @@ /* Long form */ punt = 1; ris = 0; - while (punt <= der_len && der[punt] & 128) + while (punt < der_len && der[punt] & 128) { last = ris; @@ -226,12 +226,11 @@ int *ret_len, unsigned char *str, int str_size, int *str_len) { - int len_len; + int len_len = 0; if (der_len <= 0) return ASN1_GENERIC_ERROR; - /* if(str==NULL) return ASN1_SUCCESS; */ *str_len = asn1_get_length_der (der, der_len, &len_len); if (*str_len < 0) @@ -239,7 +238,10 @@ *ret_len = *str_len + len_len; if (str_size >= *str_len) - memcpy (str, der + len_len, *str_len); + { + if (*str_len > 0 && str != NULL) + memcpy (str, der + len_len, *str_len); + } else { return ASN1_MEM_ERROR; @@ -259,7 +261,7 @@ if (der_len <= 0 || str == NULL) return ASN1_DER_ERROR; str_len = asn1_get_length_der (der, der_len, &len_len); - if (str_len < 0 || str_size < str_len) + if (str_len <= 0 || str_size < str_len) return ASN1_DER_ERROR; memcpy (str, der + len_len, str_len); str[str_len] = 0; @@ -285,7 +287,7 @@ return ASN1_GENERIC_ERROR; len = asn1_get_length_der (der, der_len, &len_len); - if (len < 0 || len > der_len || len_len > der_len) + if (len <= 0 || len > der_len || len_len > der_len) return ASN1_DER_ERROR; val1 = der[len_len] / 40; @@ -347,7 +349,7 @@ int *ret_len, unsigned char *str, int str_size, int *bit_len) { - int len_len, len_byte; + int len_len = 0, len_byte; if (der_len <= 0) return ASN1_GENERIC_ERROR; @@ -358,8 +360,14 @@ *ret_len = len_byte + len_len + 1; *bit_len = len_byte * 8 - der[len_len]; + if (*bit_len <= 0) + return ASN1_DER_ERROR; + if (str_size >= len_byte) - memcpy (str, der + len_len + 1, len_byte); + { + if (len_byte > 0 && str) + memcpy (str, der + len_len + 1, len_byte); + } else { return ASN1_MEM_ERROR; diff -u -r libtasn1-2.14.orig/lib/element.c libtasn1-2.14/lib/element.c --- libtasn1-2.14.orig/lib/element.c 2012-09-24 06:51:43.000000000 -0500 +++ libtasn1-2.14/lib/element.c 2014-06-05 16:50:27.290222945 -0500 @@ -112,8 +112,11 @@ /* VALUE_OUT is too short to contain the value conversion */ return ASN1_MEM_ERROR; - for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++) - value_out[k2 - k] = val[k2]; + if (value_out != NULL) + { + for (k2 = k; k2 < SIZEOF_UNSIGNED_LONG_INT; k2++) + value_out[k2 - k] = val[k2]; + } #if 0 printf ("_asn1_convert_integer: valueIn=%s, lenOut=%d", value, *len); @@ -617,7 +620,8 @@ if (ptr_size < data_size) { \ return ASN1_MEM_ERROR; \ } else { \ - memcpy( ptr, data, data_size); \ + if (ptr && data_size > 0) \ + memcpy( ptr, data, data_size); \ } #define PUT_STR_VALUE( ptr, ptr_size, data) \ @@ -626,16 +630,19 @@ return ASN1_MEM_ERROR; \ } else { \ /* this strcpy is checked */ \ - _asn1_strcpy(ptr, data); \ + if (ptr) { \ + _asn1_strcpy(ptr, data); \ + } \ } #define ADD_STR_VALUE( ptr, ptr_size, data) \ - *len = (int) _asn1_strlen(data) + 1; \ - if (ptr_size < (int) _asn1_strlen(ptr)+(*len)) { \ + *len += _asn1_strlen(data); \ + if (ptr_size < (int) *len) { \ + (*len)++; \ return ASN1_MEM_ERROR; \ } else { \ /* this strcat is checked */ \ - _asn1_strcat(ptr, data); \ + if (ptr) _asn1_strcat(ptr, data); \ } /** @@ -792,7 +799,9 @@ case TYPE_OBJECT_ID: if (node->type & CONST_ASSIGN) { - value[0] = 0; + *len = 0; + if (value) + value[0] = 0; p = node->down; while (p) { @@ -806,7 +815,7 @@ } p = p->right; } - *len = _asn1_strlen (value) + 1; + (*len)++; } else if ((node->type & CONST_DEFAULT) && (node->value == NULL)) {