From 39ed376b7a2bded73d0b99669f99aadbff584baa Mon Sep 17 00:00:00 2001
From: "nelson%bolyard.com" <nelson%bolyard.com>
Date: Thu, 31 Aug 2006 03:54:48 +0000
Subject: [PATCH] When verifying a signed digest, ensure that the digest is DER
 encoded and that there is no extra stuff after the DER encoded digest.  Bug
 350640. r=julien.pierre,rrelyea

---
 security/nss/lib/util/secdig.c | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/security/nss/lib/util/secdig.c b/security/nss/lib/util/secdig.c
index aa370d6bbb97..f9cbd090a151 100644
--- a/security/nss/lib/util/secdig.c
+++ b/security/nss/lib/util/secdig.c
@@ -33,7 +33,7 @@
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
-/* $Id: secdig.c,v 1.6 2006/08/15 01:34:38 wtchang%redhat.com Exp $ */
+/* $Id: secdig.c,v 1.7 2006/08/31 03:54:48 nelson%bolyard.com Exp $ */
 #include "secdig.h"
 
 #include "secoid.h"
@@ -166,20 +166,25 @@ SGN_DecodeDigestInfo(SECItem *didata)
     PRArenaPool *arena;
     SGNDigestInfo *di;
     SECStatus rv = SECFailure;
+    SECItem      diCopy   = {siBuffer, NULL, 0};
 
     arena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
     if(arena == NULL)
 	return NULL;
 
+    rv = SECITEM_CopyItem(arena, &diCopy, didata);
+    if (rv != SECSuccess) {
+	PORT_FreeArena(arena, PR_FALSE);
+    	return NULL;
+    }
+
     di = (SGNDigestInfo *)PORT_ArenaZAlloc(arena, sizeof(SGNDigestInfo));
-    if(di != NULL)
-    {
+    if (di != NULL) {
 	di->arena = arena;
-	rv = SEC_ASN1DecodeItem(arena, di, sgn_DigestInfoTemplate, didata);
+	rv = SEC_QuickDERDecodeItem(arena, di, sgn_DigestInfoTemplate, &diCopy);
     }
 	
-    if((di == NULL) || (rv != SECSuccess))
-    {
+    if ((di == NULL) || (rv != SECSuccess)) {
 	PORT_FreeArena(arena, PR_FALSE);
 	di = NULL;
     }