[gnutls-devel] libtasn1 | coding: rewrite _asn1_tag_der() to avoid the tag buffer overrun (#49) (!126)
Read-only notification of GnuTLS library development activities
gnutls-devel at lists.gnutls.org
Tue Jul 14 18:33:23 CEST 2026
Thomas Grainger created a merge request: https://gitlab.com/gnutls/libtasn1/-/merge_requests/126
Project:Branches: graingert/libtasn1:fix-asn1-tag-der-overrun to gnutls/libtasn1:master
Author: Thomas Grainger
Rewrites `_asn1_tag_der()` as a single pass that writes the tag number straight to the output, most significant digit first, emitting at most `ASN1_MAX_TAG_SIZE - 1` continuation bytes. The result always fits in `ASN1_MAX_TAG_SIZE`, so the one-byte overrun in the old reverse-copy loop (issue #49) is impossible by construction, as suggested by @jas in the issue.
The old truncation behaviour for over-long tags is preserved.
Adds `tests/Test_tag.c` covering:
* positive: `[APPLICATION 200000]` (needs the full three base-128 tag bytes) encodes to the known-good DER;
* negative: `[APPLICATION 2097152]` (a tag too large to encode) stays within `ASN1_MAX_TAG_SIZE` — before the rewrite this produced a nine-byte tag and AddressSanitizer reports a stack-buffer-overflow in `_asn1_tag_der`.
Closes #49
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/libtasn1/-/merge_requests/126
You're receiving this email because of your account on gitlab.com. Unsubscribe from this thread: https://gitlab.com/-/namespace/17627195/sent_notifications/5-conm8ohhq9fxo8uashu73jyfx-aht8b/unsubscribe | Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20260714/8d4a0428/attachment-0001.html>
More information about the Gnutls-devel
mailing list