From ae00278e8ad401b48b7fd8d6e2208ca3e6549891 Mon Sep 17 00:00:00 2001
From: Mansour Moufid <address@hidden>
Date: Tue, 23 Aug 2011 18:01:10 -0400
Subject: [PATCH] Fix a potential buffer overflow in `lib/coding.c'.

In the function `_asn1_objectid_der' of the file `lib/coding.c',
if the `str' parameter is long enough (i.e. strlen (str) == SIZE_MAX)
then ``strlen (str) + 2'' will overflow to ``1'',
`temp' will be a single byte allocation, and
the next strcpy will cause a classic buffer overflow.

Fixed by initializing `temp' to NULL, checking for integer overflow,
and using strncpy (and strncat) instead of strcpy (and strcat).
---
 lib/coding.c |   13 +++++++++----
 1 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/lib/coding.c b/lib/coding.c
index 111e063..367dada 100644
--- a/lib/coding.c
+++ b/lib/coding.c
@@ -253,18 +253,23 @@ static asn1_retCode
 _asn1_objectid_der (unsigned char *str, unsigned char *der, int *der_len)
 {
   int len_len, counter, k, first, max_len;
-  char *temp, *n_end, *n_start;
+  char *temp = NULL, *n_end, *n_start;
   unsigned char bit7;
   unsigned long val, val1 = 0;
+  size_t temp_size = str ? strlen (str) : 0;
+
+  temp_size += 2;
+  if (temp_size < 2)
+    return ASN1_MEM_ALLOC_ERROR;
 
   max_len = *der_len;
 
-  temp = (char *) _asn1_malloc (strlen (str) + 2);
+  temp = (char *) _asn1_malloc (temp_size);
   if (temp == NULL)
     return ASN1_MEM_ALLOC_ERROR;
 
-  strcpy (temp, str);
-  strcat (temp, ".");
+  strncpy (temp, str ? str : "", temp_size);
+  strncat (temp, ".", 1);
 
   counter = 0;
   n_start = temp;
-- 
1.7.1