From 7f385ebd984ed2931daa761819816b3e9da7d63c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Gustavsson?= <bjorn@erlang.org>
Date: Wed, 25 Jun 2014 12:45:48 +0200
Subject: BER decoding: Improve error checking for indefinite length

When an indefinite length was given, the decoder could look beyond
the end of the buffer for the 0,0 that signals the end of the value.
---
 lib/asn1/test/ber_decode_error.erl | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'lib/asn1/test')

diff --git a/lib/asn1/test/ber_decode_error.erl b/lib/asn1/test/ber_decode_error.erl
index 8be92292ee..6fd2450c62 100644
--- a/lib/asn1/test/ber_decode_error.erl
+++ b/lib/asn1/test/ber_decode_error.erl
@@ -51,4 +51,18 @@ run([]) ->
     {error,{asn1,{invalid_value,_}}} =
 	(catch 'Constructed':decode('I', <<8,7>>)),
 
+    %% Short indefinite length. Make sure that the decoder doesn't look
+    %% beyond the end of binary when looking for a 0,0 terminator.
+    {error,{asn1,{invalid_length,_}}} =
+	(catch 'Constructed':decode('S', sub(<<8,16#80,0,0>>, 3))),
+    {error,{asn1,{invalid_length,_}}} =
+	(catch 'Constructed':decode('S', sub(<<8,16#80,0,0>>, 2))),
+    {error,{asn1,{invalid_length,_}}} =
+	(catch 'Constructed':decode('S', sub(<<40,16#80,1,1,255,0,0>>, 6))),
+    {error,{asn1,{invalid_length,_}}} =
+	(catch 'Constructed':decode('S', sub(<<40,16#80,1,1,255,0,0>>, 5))),
     ok.
+
+sub(Bin, Bytes) ->
+    <<B:Bytes/binary,_/binary>> = Bin,
+    B.
-- 
cgit v1.2.3