The asn1_get_bit_der function in GNU Libtasn1 before 3.6 does not properly report an error when a negative bit length is identified, which allows context-dependent attackers to cause out-of-bounds access via crafted ASN.1 data.
diff --git a/lib/decoding.c b/lib/decoding.c
index 7e0ed05..894be79 100644
--- a/lib/decoding.c
+++ b/lib/decoding.c
@@ -249,7 +249,7 @@ asn1_get_octet_der (const unsigned char *der, int der_len,
int *ret_len, unsigned char *str, int str_size,
int *str_len)
{
- int len_len;
+ int len_len = 0;
if (der_len <= 0)
return ASN1_GENERIC_ERROR;
@@ -371,7 +371,7 @@ asn1_get_bit_der (const unsigned char *der, int der_len,
int *ret_len, unsigned char *str, int str_size,
int *bit_len)
{
- int len_len, len_byte;
+ int len_len = 0, len_byte;
if (der_len <= 0)
return ASN1_GENERIC_ERROR;
@@ -381,6 +381,9 @@ asn1_get_bit_der (const unsigned char *der, int der_len,
*ret_len = len_byte + len_len + 1;
*bit_len = len_byte * 8 - der[len_len];
+
+ if (*bit_len <= 0)
+ return ASN1_DER_ERROR;
if (str_size >= len_byte)
memcpy (str, der + len_len + 1, len_byte);
