My patch was not correct. Here's my rough understanding of what's wrong: The decoder is reading into an array of `sec_PKCS12SafeBag`s. It fails to handle an error and leaves the output pointer in the middle of a `sec_PKCS12SafeBag`. It then proceeds to the next safe bag and writes the contents with the wrong alignment. In the example crash, the value `2` is written to `sec_PKCS12SafeBag.bagTypeTag`, which causes a null pointer check to fail. I'm not sure I can fix this in a reasonable amount of time. Bob, can you think of anyone that might be able to help with this? They'll need the fuzzing target from [D164322](https://phabricator.services.mozilla.com/D164322).
Bug 1804640 Comment 8 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
My patch was not correct. Here's my rough understanding of what's wrong: ~The decoder is reading into an array of `sec_PKCS12SafeBag`s. It fails to handle an error and leaves the output pointer in the middle of a `sec_PKCS12SafeBag`. It then proceeds to the next safe bag and writes the contents with the wrong alignment. In the example crash, the value `2` is written to `sec_PKCS12SafeBag.bagTypeTag`, which causes a null pointer check to fail.~ [EDIT: This was not accurate see Comment 15 below] I'm not sure I can fix this in a reasonable amount of time. Bob, can you think of anyone that might be able to help with this? They'll need the fuzzing target from [D164322](https://phabricator.services.mozilla.com/D164322).