From c300253181cfc591cbcae9251eda5296ed29591b Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Fri, 7 Oct 2022 14:12:33 +0200
Subject: [PATCH] common: Protect against a theoretical integer overflow in
 tlv.c

* common/tlv.c (parse_ber_header): Protect agains integer overflow.
--

Although there is no concrete case where we use the (nhdr + length),
it is better to protect against this already here.
---
 common/tlv.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/common/tlv.c b/common/tlv.c
index abef83a37..9618d04cb 100644
--- a/common/tlv.c
+++ b/common/tlv.c
@@ -222,6 +222,11 @@ parse_ber_header (unsigned char const **buffer, size_t *size,
       *r_length = len;
     }
 
+  if (*r_length > *r_nhdr && (*r_nhdr + *r_length) < *r_length)
+    {
+      return gpg_err_make (default_errsource, GPG_ERR_EOVERFLOW);
+    }
+
   /* Without this kludge some example certs can't be parsed. */
   if (*r_class == CLASS_UNIVERSAL && !*r_tag)
     *r_length = 0;