[S] Change in libasn1c[master]: coverity CID#57681

Mon, 02 Sep 2024 21:02:17 -0700 

neels has uploaded this change for review. ( 
https://gerrit.osmocom.org/c/libasn1c/+/37984?usp=email )


Change subject: coverity CID#57681
......................................................................

coverity CID#57681

Make sure that bits_unused cannot subtract more bits than present in
st->size.

Especially when st->size == 0, this ensures that sizeinunits is also 0,
and that a st->size == 0 hence never enters the while (sizeinunits)
loop.

Change-Id: Ic8e3f5e24541989b79826de2942e5e6560079028
---
M src/OCTET_STRING.c
1 file changed, 9 insertions(+), 1 deletion(-)



  git pull ssh://gerrit.osmocom.org:29418/libasn1c refs/changes/84/37984/1

diff --git a/src/OCTET_STRING.c b/src/OCTET_STRING.c
index 3e424e7..9d2e817 100644
--- a/src/OCTET_STRING.c
+++ b/src/OCTET_STRING.c
@@ -1859,6 +1859,7 @@
         unsigned int unit_bits;
         unsigned int canonical_unit_bits;
         unsigned int sizeinunits;
+        unsigned int unused;
         const uint8_t *buf;
         int ret;
         enum {
@@ -1888,7 +1889,11 @@
         case ASN_OSUBV_BIT:
                 canonical_unit_bits = unit_bits = 1;
                 bpc = OS__BPC_BIT;
-                sizeinunits = st->size * 8 - (st->bits_unused & 0x07);
+                sizeinunits = st->size * 8;
+                /* make sure sizeinunits cannot wrap past zero (especially 
when st->size == 0). */
+                unused = st->bits_unused & 0x07;
+                if (unused <= sizeinunits)
+                        sizeinunits -= unused;
                 ASN_DEBUG("BIT STRING of %d bytes",
                                 sizeinunits);
                break;
@@ -1994,6 +1999,9 @@
                                maySave, bpc, unit_bits,
                                cval->lower_bound, cval->upper_bound, pc);
                } else {
+                       /* coverity CID#57681: st->buf can be NULL, but above, 
we've verified that when st->buf == NULL,
+                        * then also st->size == 0, and hence sizeinunits == 0, 
hence this 'while' will skip entirely,
+                        * and hence it is safe to dereference buf here. */
                        ret = per_put_many_bits(po, buf, maySave * unit_bits);
                }
                if(ret) _ASN_ENCODE_FAILED;

--
To view, visit https://gerrit.osmocom.org/c/libasn1c/+/37984?usp=email
To unsubscribe, or for help writing mail filters, visit 
https://gerrit.osmocom.org/settings?usp=email

Gerrit-MessageType: newchange
Gerrit-Project: libasn1c
Gerrit-Branch: master
Gerrit-Change-Id: Ic8e3f5e24541989b79826de2942e5e6560079028
Gerrit-Change-Number: 37984
Gerrit-PatchSet: 1
Gerrit-Owner: neels <[email protected]>

Reply via email to