MFB: Fix integer overflow in ASN parser.

diff --git a/framework/Crypt/lib/Horde/Crypt/Smime.php b/framework/Crypt/lib/Horde/Crypt/Smime.php
index 949975c..18c2aaa 100644 (file)
--- a/framework/Crypt/lib/Horde/Crypt/Smime.php
+++ b/framework/Crypt/lib/Horde/Crypt/Smime.php
@@ -932,17 +932,8 @@ class Horde_Crypt_Smime extends Horde_Crypt
             case 0x02:
                 // Integer type
                 $len = ord($data[1]);
-                $bytes = 0;
-                if ($len & 0x80) {
-                    $bytes = $len & 0x0f;
-                    $len = 0;
-                    for ($i = 0; $i < $bytes; $i++) {
-                        $len = ($len << 8) | ord($data[$i + 2]);
-                    }
-                }
-
-                $integer_data = substr($data, 2 + $bytes, $len);
-                $data = substr($data, 2 + $bytes + $len);
+                $integer_data = substr($data, 2, $len);
+                $data = substr($data, 2 + $len);
 
                 $value = 0;
                 if ($len <= 4) {

diff --git a/horde/docs/CHANGES b/horde/docs/CHANGES
index ab15d75..3879805 100644 (file)
--- a/horde/docs/CHANGES
+++ b/horde/docs/CHANGES
@@ -58,6 +58,7 @@ v4.0-cvs
 v3.3.12-cvs
 -----------
 
+[jan] Fix integer overflow in ASN.1 parser for S/MIME messages.
 [jan] Fix splitread database usage in VFS (Bug #9467).
 [jan] Fix invalidating permission cache in SQL driver (Bug #9392).