<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>
<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<p style="color: #777777;">
<a href="https://gitlab.com/rockdaboot">Tim Rühsen</a>
commented:
</p>
<div style="">
<p dir="auto">It's from fuzzing, so I can hardly tell (I wrote a tool to convert fuzzer data into the above array. In this case I hand-tuned the fields to have the smallest possible reproducer).</p>
<p dir="auto">Since <code>asn1_array2tree()</code> is a public API, it should gracefully deal with any kind of input. The days of "please only serve proper input to my API" are over. The smallest glitches are meanwhile used for DOS attacks or (remote) code execution, directly or indirectly.</p>
<p dir="auto">I couldn't find any obvious bugs in <code>asn1_array2tree()</code> yesterday (hey, it just build a tree), so maybe it's in <code>asn1_delete_structure()</code> !? Will have a look, but any help appreciated.</p>
</div>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">
—
<br>
Reply to this email directly or <a href="https://gitlab.com/gnutls/libtasn1/issues/14#note_194671048">view it on GitLab</a>.
<br>
You're receiving this email because of your account on gitlab.com.
If you'd like to receive fewer emails, you can
<a href="https://gitlab.com/sent_notifications/2d1876ec4716e72d3727670372a45b25/unsubscribe">unsubscribe</a>
from this thread or
adjust your notification settings.
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.com/gnutls/libtasn1/issues/14#note_194671048"}}</script>
</p>
</div>
</body>
</html>