Closed emillon closed 4 years ago
This is handled there.
Unfortunately, 1,818,000,000 executions later, and I still cannot get AFL to detect this. I suspect that the guided fuzzing it's employing is a little blind to overflows -- as long as they are memory-safe -- as they don't change the control flow. :cry:
thanks, this is fixed and part of the 0.2.1 release. closing.
Hi,
As #23 this was found in a Wycheproof test case.
When parsing BER, the length of structures is computed on int64s, which can overflow. The following case is accepted, while it should be rejected:
Note that the same starting with 0x30 0x89 0x00 should be accepted since it's a valid encoding of len=3.
Thanks!