Thanks for this report. The certificate has a Netscape cert-type extension (oid `2.16.840.1.113730.1.1`) that contains an empty bitstring. After parsing this extension, the `CERT_FindBitStringExtension` function return a `SECItem` with a data field that points to a one byte allocation and with the length field set to 0. There are several errors here. - `CERT_FindBitStringExtension` fails to initialize the one byte allocation, - `CERT_FindBitStringExtension` calls `memcpy` with a null source pointer with a 0 length parameter, - The caller `cert_ComputeCertTypeExtension` function fails to check the length parameter of the returned `SECItem` before accessing its first byte. The memory leak appears to be a separate bug. But I'll include a fix in the patch.
Bug 1771498 Comment 2 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Thanks for this report. The certificate has a Netscape cert-type extension (oid `2.16.840.1.113730.1.1`) that contains an empty bitstring. After parsing this extension, the `CERT_FindBitStringExtension` function return a `SECItem` with a data field that points to a one byte allocation and with the length field set to 0. There are several errors here. - `CERT_FindBitStringExtension` fails to initialize the one byte allocation, - `CERT_FindBitStringExtension` calls `memcpy` with a null source pointer with a 0 length parameter, - The caller `cert_ComputeCertTypeExtension` function fails to check the length parameter of the returned `SECItem` before accessing its first byte. ~The memory leak appears to be a separate bug. But I'll include a fix in the patch.~
Thanks for this report. The certificate has a Netscape cert-type extension (oid `2.16.840.1.113730.1.1`) that contains an empty bitstring. After parsing this extension, the `CERT_FindBitStringExtension` function return a `SECItem` with a data field that points to a one byte allocation and with the length field set to 0. There are several errors here. - `CERT_FindBitStringExtension` fails to initialize the one byte allocation, - `CERT_FindBitStringExtension` calls `memcpy` with a null source pointer with a 0 length parameter, - The caller `cert_ComputeCertTypeExtension` function fails to check the length parameter of the returned `SECItem` before accessing its first byte. The memory leak appears to be a separate bug. ~But I'll include a fix in the patch.~