From 13c0eee15f783b695149739ad04cd9bef67fd630 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20L=C3=B6hning?= <robert.loehning@qt.io>
Date: Mon, 1 Feb 2021 17:57:40 +0100
Subject: QAsn1Element: Avoid overflow in QAsn1Element::toInteger
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes oss-fuzz issue 29534.

Change-Id: I51d0b8238c73e5860c40d3b74577ddb8926647a3
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
(cherry picked from commit 11a3eab1e168256778c45090b56e998e50c08c55)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
---
 src/network/ssl/qasn1element.cpp | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/network/ssl/qasn1element.cpp b/src/network/ssl/qasn1element.cpp
index 13fc095e12..3df76c3774 100644
--- a/src/network/ssl/qasn1element.cpp
+++ b/src/network/ssl/qasn1element.cpp
@@ -327,8 +327,9 @@ qint64 QAsn1Element::toInteger(bool *ok) const
         return 0;
     }
 
-    // NOTE: negative numbers are not handled
-    if (mValue.at(0) & 0x80) {
+    // NOTE: - negative numbers are not handled
+    //       - greater sizes would overflow
+    if (mValue.at(0) & 0x80 || mValue.size() > 8) {
         if (ok)
             *ok = false;
         return 0;
-- 
cgit v1.2.3