Pull Basilisk-release forward.

2 files changed, 9 insertions, 2 deletions

diff --git a/security/nss/lib/util/nssutil.h b/security/nss/lib/util/nssutil.h
index 62511eafe..a2be260b0 100644
--- a/security/nss/lib/util/nssutil.h
+++ b/security/nss/lib/util/nssutil.h
@@ -19,10 +19,10 @@
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <Beta>]"
  */
-#define NSSUTIL_VERSION "3.41"
+#define NSSUTIL_VERSION "3.41.2"
 #define NSSUTIL_VMAJOR 3
 #define NSSUTIL_VMINOR 41
-#define NSSUTIL_VPATCH 0
+#define NSSUTIL_VPATCH 2
 #define NSSUTIL_VBUILD 0
 #define NSSUTIL_BETA PR_FALSE
 
diff --git a/security/nss/lib/util/quickder.c b/security/nss/lib/util/quickder.c
index 7a6ac1c53..70ae42b27 100644
--- a/security/nss/lib/util/quickder.c
+++ b/security/nss/lib/util/quickder.c
@@ -757,6 +757,13 @@ DecodeItem(void* dest,
                         }
 
                         case SEC_ASN1_BIT_STRING: {
+                            /* Can't be 8 or more spare bits, or any spare bits
+                             * if there are no octets. */
+                            if (temp.data[0] >= 8 || (temp.data[0] > 0 && temp.len == 1)) {
+                                PORT_SetError(SEC_ERROR_BAD_DER);
+                                rv = SECFailure;
+                                break;
+                            }
                             /* change the length in the SECItem to be the number
                                of bits */
                             temp.len = (temp.len - 1) * 8 - (temp.data[0] & 0x7);