ber_get_next: return error if decoded ber_len is smaller than actual count

diff --git a/libraries/liblber/io.c b/libraries/liblber/io.c
index bde7ce305558d64172bf28b9f073ea66efbc7651..4a687de4830faf0392f5149b7f0fd70acd4a1299 100644 (file)
--- a/libraries/liblber/io.c
+++ b/libraries/liblber/io.c
@@ -548,6 +548,15 @@ ber_get_next(
                }
 
                if (ber->ber_buf==NULL) {
+                       ber_len_t l = ber->ber_rwptr - ber->ber_ptr;
+                       /* ber->ber_ptr is always <= ber->ber->ber_rwptr.
+                        * make sure ber->ber_len agrees with what we've
+                        * already read.
+                        */
+                       if ( ber->ber_len < i + l ) {
+                               errno = ERANGE;
+                               return LBER_DEFAULT;
+                       }
                        ber->ber_buf = (char *) LBER_MALLOC( ber->ber_len + 1 );
                        if (ber->ber_buf==NULL) {
                                return LBER_DEFAULT;
@@ -556,10 +565,9 @@ ber_get_next(
                        if (i) {
                                AC_MEMCPY(ber->ber_buf, buf, i);
                        }
-                       if (ber->ber_ptr < ber->ber_rwptr) {
-                               AC_MEMCPY(ber->ber_buf + i, ber->ber_ptr, ber->ber_rwptr-
-                                       ber->ber_ptr);
-                               i += ber->ber_rwptr - ber->ber_ptr;
+                       if (l > 0) {
+                               AC_MEMCPY(ber->ber_buf + i, ber->ber_ptr, l);
+                               i += l;
                        }
                        ber->ber_ptr = ber->ber_buf;
                        ber->ber_usertag = 0;