Skip to content

Endless loop in asn1_create_element(), ending in OOM

The following call sequence eats up memory while running in an (endless) loop:

if (asn1_parser2tree("infile", &definitions, errorDescription) == ASN1_SUCCESS)
  asn1_create_element(definitions, "TEST_TREE.Koko", &asn1_element);

with infile being

TEST_TREE { }
DEFINITIONS IMPLICIT TAGS ::=
BEGIN
Koko ::= SEQUENCE {
  x ?L
}
END

Easiest way to reproduce:

  • git checkout tmp-fuzzing
  • ./bootstrap && ./configure && make && cd fuzz
  • make check TESTS=libtasn1_encoding_fuzzer

You have to CTRL-C to stop it. It hangs in _asn1_expand_identifier(), each loop iteration running through the code block of if (type_field (p->type) == ASN1_ETYPE_IDENTIFIER).