aboutsummaryrefslogblamecommitdiffstats
path: root/community/opensc/CVE-2020-26570.patch
blob: c345cab3a28dec6a5bba118d88069c0205ebf71d (plain) (tree)
































                                                                                                      
From 6903aebfddc466d966c7b865fae34572bf3ed23e Mon Sep 17 00:00:00 2001
From: Frank Morgner <frankmorgner@gmail.com>
Date: Thu, 30 Jul 2020 02:21:17 +0200
Subject: [PATCH] Heap-buffer-overflow WRITE

fixes https://oss-fuzz.com/testcase-detail/5088104168554496
---
 src/libopensc/pkcs15-oberthur.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/libopensc/pkcs15-oberthur.c b/src/libopensc/pkcs15-oberthur.c
index a873aaa0dd..2fb32b8dba 100644
--- a/src/libopensc/pkcs15-oberthur.c
+++ b/src/libopensc/pkcs15-oberthur.c
@@ -271,11 +271,15 @@ sc_oberthur_read_file(struct sc_pkcs15_card *p15card, const char *in_path,
 		rv = sc_read_binary(card, 0, *out, sz, 0);
 	}
 	else	{
-		int rec;
-		int offs = 0;
-		int rec_len = file->record_length;
+		size_t rec;
+		size_t offs = 0;
+		size_t rec_len = file->record_length;
 
 		for (rec = 1; ; rec++)   {
+			if (rec > file->record_count) {
+				rv = 0;
+				break;
+			}
 			rv = sc_read_record(card, rec, *out + offs + 2, rec_len, SC_RECORD_BY_REC_NR);
 			if (rv == SC_ERROR_RECORD_NOT_FOUND)   {
 				rv = 0;