Add maximum integer length to ASN1Key.cpp

stoeckmann · stoeckmann · commit 66be8e8545e4 · 2025-12-22T17:00:28.000+01:00
Values around 2 GB lead to abort() calls within Qt 5.
diff --git a/src/sshagent/ASN1Key.cpp b/src/sshagent/ASN1Key.cpp
@@ -86,7 +86,7 @@ namespace
 
         VALIDATE_RETURN(nextTag(stream, tag, len));
 
-        if (tag != TAG_INT) {
+        if (tag != TAG_INT || len > 1024 * 1024 * 10) {
             return false;
         }
 
diff --git a/tests/TestOpenSSHKey.cpp b/tests/TestOpenSSHKey.cpp
@@ -177,6 +177,18 @@ void TestOpenSSHKey::testParseRSA()
     QCOMPARE(key.fingerprint(QCryptographicHash::Md5), QString("MD5:c2:26:5b:3d:62:19:56:b0:c3:67:99:7a:a6:4c:66:06"));
 }
 
+void TestOpenSSHKey::testParseRSABroken()
+{
+    const QString keyString = QString("-----BEGIN RSA PRIVATE KEY-----\n"
+                                      "MAACAQAChH////8=\n"
+                                      "-----END RSA PRIVATE KEY-----\n");
+
+    const QByteArray keyData = keyString.toLatin1();
+
+    OpenSSHKey key;
+    QVERIFY(!key.parsePKCS1PEM(keyData));
+}
+
 void TestOpenSSHKey::testParseRSACompare()
 {
     const QString oldKeyString = QString("-----BEGIN RSA PRIVATE KEY-----\n"
diff --git a/tests/TestOpenSSHKey.h b/tests/TestOpenSSHKey.h
@@ -31,6 +31,7 @@ private slots:
     void testParse();
     void testParseDSA();
     void testParseRSA();
+    void testParseRSABroken();
     void testParseRSACompare();
     void testParseECDSA256();
     void testParseECDSA384();

Original file line number	Diff line number	Diff line change
`@@ -86,7 +86,7 @@ namespace`
`86`	`86`
`87`	`87`	`VALIDATE_RETURN(nextTag(stream, tag, len));`
`88`	`88`
`89`		`- if (tag != TAG_INT) {`
	`89`	`+ if (tag != TAG_INT \|\| len > 1024 * 1024 * 10) {`
`90`	`90`	`return false;`
`91`	`91`	`}`
`92`	`92`