Fix possible DoS in ASN.1 decoders (CVE-2016-9939)

asn.cpp

@@ -123,6 +123,8 @@ size_t BERDecodeOctetString(BufferedTransformation &bt, SecByteBlock &str)
 	size_t bc;
 	if (!BERLengthDecode(bt, bc))
 		BERDecodeError();
+	if (bc > bt.MaxRetrievable())
+		BERDecodeError();
 
 	str.New(bc);
 	if (bc != bt.Get(str, bc))
@@ -139,6 +141,8 @@ size_t BERDecodeOctetString(BufferedTransformation &bt, BufferedTransformation &
 	size_t bc;
 	if (!BERLengthDecode(bt, bc))
 		BERDecodeError();
+	if (bc > bt.MaxRetrievable())
+		BERDecodeError();
 
 	bt.TransferTo(str, bc);
 	return bc;
@@ -161,6 +165,8 @@ size_t BERDecodeTextString(BufferedTransformation &bt, std::string &str, byte as
 	size_t bc;
 	if (!BERLengthDecode(bt, bc))
 		BERDecodeError();
+	if (bc > bt.MaxRetrievable())
+		BERDecodeError();
 
 	SecByteBlock temp(bc);
 	if (bc != bt.Get(temp, bc))
@@ -188,6 +194,10 @@ size_t BERDecodeBitString(BufferedTransformation &bt, SecByteBlock &str, unsigne
 	size_t bc;
 	if (!BERLengthDecode(bt, bc))
 		BERDecodeError();
+	if (bc == 0)
+		BERDecodeError();
+	if (bc > bt.MaxRetrievable())
+		BERDecodeError();
 
 	byte unused;
 	if (!bt.Get(unused))

asn.h

@@ -498,6 +498,8 @@ void BERDecodeUnsigned(BufferedTransformation &in, T &w, byte asnTag = INTEGER,
 	bool definite = BERLengthDecode(in, bc);
 	if (!definite)
 		BERDecodeError();
+	if (bc > in.MaxRetrievable())
+		BERDecodeError();
 
 	SecByteBlock buf(bc);