length is a signed 32-bit integer and is read from input. So if we pass a value that is greater than INT32_MAX, length will become negative. Then it can pass the MaxLen check. The second ReadBytes will return true if the NumBytes is negative.
This can cause an out-of-bound read in TPM_SIGNAL_HASH_DATA because InputBuffer.BufferSize is greater than real size of InputBuffer. Poc is below.
length is a signed 32-bit integer and is read from input. So if we pass a value that is greater than INT32_MAX, length will become negative. Then it can pass the MaxLen check. The second ReadBytes will return true if the NumBytes is negative.
This can cause an out-of-bound read in TPM_SIGNAL_HASH_DATA because InputBuffer.BufferSize is greater than real size of InputBuffer. Poc is below.