From: David Woodhouse <david.woodho...@intel.com>

Use the new OBJ_get0_data() accessor to compare the data, and actually
check the length of the object too.

Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: David Woodhouse <david.woodho...@intel.com>
Tested-by: Laszlo Ersek <ler...@redhat.com>
---
 CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c 
b/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
index 9e93355..857281d 100644
--- a/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
+++ b/CryptoPkg/Library/BaseCryptLib/Pk/CryptAuthenticode.c
@@ -77,7 +77,7 @@ AuthenticodeVerify (
   UINT8        *SpcIndirectDataContent;
   UINT8        Asn1Byte;
   UINTN        ContentSize;
-  UINT8        *SpcIndirectDataOid;
+  CONST UINT8  *SpcIndirectDataOid;
 
   //
   // Check input parameters.
@@ -115,8 +115,9 @@ AuthenticodeVerify (
   //       some authenticode-specific structure. Use opaque ASN.1 string to 
retrieve
   //       PKCS#7 ContentInfo here.
   //
-  SpcIndirectDataOid = (UINT8 *)(Pkcs7->d.sign->contents->type->data);
-  if (CompareMem (
+  SpcIndirectDataOid = OBJ_get0_data(Pkcs7->d.sign->contents->type);
+  if (OBJ_length(Pkcs7->d.sign->contents->type) != 
sizeof(mSpcIndirectOidValue) ||
+      CompareMem (
         SpcIndirectDataOid,
         mSpcIndirectOidValue,
         sizeof (mSpcIndirectOidValue)
-- 
2.4.3

-- 
David Woodhouse                            Open Source Technology Centre
david.woodho...@intel.com                              Intel Corporation

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
edk2-devel mailing list
edk2-devel@lists.01.org
https://lists.01.org/mailman/listinfo/edk2-devel

Reply via email to