When verifying a signed digest, ensure that the digest is DER encoded and

that there is no extra stuff after the DER encoded digest.  Bug 350640.
r=julien.pierre,rrelyea

security/nss/lib/util/secdig.c

@@ -33,7 +33,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: secdig.c,v 1.6 2006/08/15 01:34:38 wtchang%redhat.com Exp $ */
+/* $Id: secdig.c,v 1.7 2006/08/31 03:54:48 nelson%bolyard.com Exp $ */
 #include "secdig.h"
 
 #include "secoid.h"
@@ -166,20 +166,25 @@ SGN_DecodeDigestInfo(SECItem *didata)
     PRArenaPool *arena;
     SGNDigestInfo *di;
     SECStatus rv = SECFailure;
+    SECItem      diCopy   = {siBuffer, NULL, 0};
 
     arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
     if(arena == NULL)
 	return NULL;
 
+    rv = SECITEM_CopyItem(arena, &diCopy, didata);
+    if (rv != SECSuccess) {
+	PORT_FreeArena(arena, PR_FALSE);
+    	return NULL;
+    }
+
     di = (SGNDigestInfo *)PORT_ArenaZAlloc(arena, sizeof(SGNDigestInfo));
-    if(di != NULL)
-    {
+    if (di != NULL) {
 	di->arena = arena;
-	rv = SEC_ASN1DecodeItem(arena, di, sgn_DigestInfoTemplate, didata);
+	rv = SEC_QuickDERDecodeItem(arena, di, sgn_DigestInfoTemplate, &diCopy);
     }
 	
-    if((di == NULL) || (rv != SECSuccess))
-    {
+    if ((di == NULL) || (rv != SECSuccess)) {
 	PORT_FreeArena(arena, PR_FALSE);
 	di = NULL;
     }