Certtool core dump when use it to verify a PEM encoded certificate chain if more than 16 certificates. Steps to Reproduce: ``` > # certtool --infile=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem -e ``` The stacks: ``` > Reading symbols from certtool...<br> > Reading symbols from /usr/lib/debug//usr/bin/certtool-3.8.0-3.x86_64.debug...<br> > [New LWP 113834]<br> > [Thread debugging using libthread_db enabled]<br> > Using host libthread_db library "/usr/lib64/libthread_db.so.1".<br> > Core was generated by `certtool --infile=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem -e'.<br> > Program terminated with signal SIGABRT, Aborted.<br> > #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0)<br> > at pthread_kill.c:44<br> > 44 return INTERNAL_SYSCALL_ERROR_P (ret) ? INTERNAL_SYSCALL_ERRNO (ret) : 0;<br> > (gdb) bt<br> > #0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0)<br> > at pthread_kill.c:44<br> > #1 0x00007fe0c54fdf53 in __pthread_kill_internal (signo=6, threadid=<optimized out>) at pthread_kill.c:78<br> > #2 0x00007fe0c54b1d56 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26<br> > #3 0x00007fe0c549d197 in __GI_abort () at abort.c:79<br> > #4 0x00007fe0c54f2037 in __libc_message (action=action@entry=do_abort, <br> > fmt=fmt@entry=0x7fe0c562b5d9 "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155<br> > #5 0x00007fe0c558dd3a in __GI___fortify_fail (msg=msg@entry=0x7fe0c562b57f "buffer overflow detected")<br> > at fortify_fail.c:26<br> > #6 0x00007fe0c558c656 in __GI___chk_fail () at chk_fail.c:28<br> > #7 0x00007fe0c5c5bebd in memcpy (__len=1160, __src=0x555bd8056110, __dest=0x7ffdcaec35a0)<br> > at /usr/include/bits/string_fortified.h:29<br> > #8 gnutls_x509_trust_list_verify_crt2 (list=0x555bd80548d0, cert_list=0x555bd8056110, cert_list_size=145, <br> > data=data@entry=0x0, elements=elements@entry=0, flags=4, voutput=0x7ffdcaec3758, <br> > func=0x555bd61b2190 <detailed_verification>) at verify-high.c:1475<br> > #9 0x00007fe0c5c5cdc5 in gnutls_x509_trust_list_verify_crt (list=<optimized out>, cert_list=<optimized out>, <br> > cert_list_size=<optimized out>, flags=<optimized out>, voutput=<optimized out>, func=<optimized out>)<br> > at verify-high.c:1337<br> > #10 0x0000555bd61b2dd5 in _verify_x509_mem (cert=0x7fe0c52bc010, cert_size=223196, cinfo=<optimized out>, <br> > use_system_trust=<optimized out>, purpose=0x0, hostname=0x0, email=0x0) at certtool.c:2496<br> > #11 0x0000555bd61b771f in verify_certificate (cinfo=<optimized out>) at certtool.c:2584<br> > #12 cmd_parser (argc=<optimized out>, argv=<optimized out>) at certtool.c:1493<br> > #13 0x0000555bd61b084a in main (argc=3, argv=0x7ffdcaec3b88) at certtool.c:131<br> > (gdb) f 8<br> > #8 gnutls_x509_trust_list_verify_crt2 (list=0x555bd80548d0, cert_list=0x555bd8056110, cert_list_size=145, <br> > data=data@entry=0x0, elements=elements@entry=0, flags=4, voutput=0x7ffdcaec3758, <br> > func=0x555bd61b2190 <detailed_verification>) at verify-high.c:1475<br> > 1475 **memcpy(sorted, cert_list, cert_list_size** * sizeof(gnutls_x509_crt_t));<br> > (gdb) p **cert_list_size**<br> > $1 = **145**<br> > (gdb) ptype **sorted**<br> > type = struct gnutls_x509_crt_int {<br> > asn1_node cert;<br> > int use_extensions;<br> > unsigned int expanded;<br> > unsigned int modified;<br> > unsigned int flags;<br> > struct pin_info_st pin;<br> > gnutls_datum_t raw_dn;<br> > gnutls_datum_t raw_issuer_dn;<br> > gnutls_datum_t raw_spki;<br> > gnutls_datum_t der;<br> > gnutls_subject_alt_names_t san;<br> > gnutls_subject_alt_names_t ian;<br> > gnutls_x509_dn_st dn;<br> > gnutls_x509_dn_st idn;<br> > } *[**16**]<br> > (gdb) <br> ``` Missing the checking of cert_list_size for function gnutls_x509_trust_list_verify_crt2 in the commit [x509: rework issuer callback ](https://gitlab.com/gnutls/gnutls/-/commit/ebb19db9165fed30d73c83bab1b1b8740c132dfd#354f9842fb374676880f1b9cfcbb4c28abe5b38f_1314_1376).