Panic when decoding an invalid UTCTime #27

New Issue

2021-11-14T06:37:35-08:00

nmathewson commented

2021-11-14 06:37:35 -08:00

(Migrated from github.com)

Hello, I hope this is the right place to report this; I didn't find any documentation for a preferred method for reporting security issues.

The following code panics when trying to parse an invalid UTCTime object:

fn main() {
    let input =  [55, 13, 13, 133, 13, 13, 50, 13, 13, 133, 13, 13, 50, 13, 133];
    let output = simple_asn1::from_der(&input);
    println!("{:?}", output);
}

The panic occurs because of these line in lib.rs:

                let v = String::from_iter(body.iter().map(|x| *x as char));
                let y = &v[0..2];

If the string is constructed in such a way that the first two bytes do not end on a character boundary, the slice operation will panic.

Found by fuzzing a downstream library.

I'll submit a patch ASAP.

Hello, I hope this is the right place to report this; I didn't find any documentation for a preferred method for reporting security issues. The following code panics when trying to parse an invalid UTCTime object: ``` fn main() { let input = [55, 13, 13, 133, 13, 13, 50, 13, 13, 133, 13, 13, 50, 13, 133]; let output = simple_asn1::from_der(&input); println!("{:?}", output); } ``` The panic occurs because of these line in lib.rs: ``` let v = String::from_iter(body.iter().map(|x| *x as char)); let y = &v[0..2]; ``` If the string is constructed in such a way that the first two bytes do not end on a character boundary, the slice operation will panic. Found by fuzzing a downstream library. I'll submit a patch ASAP.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: acw/simple_asn1#27