Fix DER decoding of UTF-8 Strings

Don't read more than the length indicated by the length field.

Signed-off-by: Steffen Jaeckel <[email protected]>

Author: sjaeckel

src/pk/asn1/der/utf8/der_decode_utf8_string.c

@@ -56,7 +56,8 @@ int der_decode_utf8_string(const unsigned char *in,  unsigned long inlen,
 
         https://tools.ietf.org/html/rfc3629#section-3
     */
-   for (y = 0; x < inlen; ) {
+   len += x;
+   for (y = 0; x < len; ) {
       /* read first byte */
       tmp = in[x++];
 
@@ -87,7 +88,7 @@ int der_decode_utf8_string(const unsigned char *in,  unsigned long inlen,
       /* now update z so it equals the number of additional bytes to read */
       if (z > 0) { --z; }
 
-      if (x + z > inlen) {
+      if (x + z > len) {
          return CRYPT_INVALID_PACKET;
       }