Out-of-bound access in ETYPE_OK
Description of problem:
The bound check in ETYPE_OK may lead to out-of-bound access.
Version of libtasn1 used:
4.16.0
Distributor of libtasn1 (e.g., Ubuntu, Fedora, RHEL)
Ubuntu
How reproducible:
#include <stdlib.h>
#include <stdio.h>
#include <libtasn1.h>
int main(int argc, char *argv[]) {
unsigned int etype = 38;
unsigned int str_len = 10;
unsigned char *str = malloc(str_len);
unsigned int tl_len = 10;
unsigned char *tl = malloc(tl_len);
asn1_encode_simple_der(etype, str, str_len, tl, &tl_len);
return 0;
}
Steps to Reproduce:
- Compile the program with
-fsanitize=address,leak,undefined
- Run
Actual results:
==23616==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000042e208 at pc 0x000000402854 bp 0x7fffe0995170 sp 0x7fffe0995160
READ of size 8 at 0x00000042e208 thread T0
#0 0x402853 in asn1_encode_simple_der ../../libtasn1-4.16.0/lib/coding.c:218
Expected results:
The macro should do this check instead:
(etype) < _asn1_tags_size