From ef189737a3a97bbdeb06825c06121697f62ed50b Mon Sep 17 00:00:00 2001
From: wolfbeast <mcwerewolf@wolfbeast.com>
Date: Wed, 17 Jul 2019 01:15:00 +0200
Subject: Apply better input checking discipline.

---
 security/nss/lib/util/quickder.c | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'security/nss/lib/util/quickder.c')

diff --git a/security/nss/lib/util/quickder.c b/security/nss/lib/util/quickder.c
index 7a6ac1c53..70ae42b27 100644
--- a/security/nss/lib/util/quickder.c
+++ b/security/nss/lib/util/quickder.c
@@ -757,6 +757,13 @@ DecodeItem(void* dest,
                         }
 
                         case SEC_ASN1_BIT_STRING: {
+                            /* Can't be 8 or more spare bits, or any spare bits
+                             * if there are no octets. */
+                            if (temp.data[0] >= 8 || (temp.data[0] > 0 && temp.len == 1)) {
+                                PORT_SetError(SEC_ERROR_BAD_DER);
+                                rv = SECFailure;
+                                break;
+                            }
                             /* change the length in the SECItem to be the number
                                of bits */
                             temp.len = (temp.len - 1) * 8 - (temp.data[0] & 0x7);
-- 
cgit v1.2.3