From f6e0e91ecc03ec9d6b308fce569a2b2e8d9f466f Mon Sep 17 00:00:00 2001
From: Jan Schneider <jan@horde.org>
Date: Fri, 14 Jan 2011 16:33:02 +0100
Subject: [PATCH] MFB: Fix integer overflow in ASN parser.

---
 framework/Crypt/lib/Horde/Crypt/Smime.php | 13 ++-----------
 horde/docs/CHANGES                        |  1 +
 2 files changed, 3 insertions(+), 11 deletions(-)

diff --git a/framework/Crypt/lib/Horde/Crypt/Smime.php b/framework/Crypt/lib/Horde/Crypt/Smime.php
index 949975c09..18c2aaafc 100644
--- a/framework/Crypt/lib/Horde/Crypt/Smime.php
+++ b/framework/Crypt/lib/Horde/Crypt/Smime.php
@@ -932,17 +932,8 @@ class Horde_Crypt_Smime extends Horde_Crypt
             case 0x02:
                 // Integer type
                 $len = ord($data[1]);
-                $bytes = 0;
-                if ($len & 0x80) {
-                    $bytes = $len & 0x0f;
-                    $len = 0;
-                    for ($i = 0; $i < $bytes; $i++) {
-                        $len = ($len << 8) | ord($data[$i + 2]);
-                    }
-                }
-
-                $integer_data = substr($data, 2 + $bytes, $len);
-                $data = substr($data, 2 + $bytes + $len);
+                $integer_data = substr($data, 2, $len);
+                $data = substr($data, 2 + $len);
 
                 $value = 0;
                 if ($len <= 4) {
diff --git a/horde/docs/CHANGES b/horde/docs/CHANGES
index ab15d756d..38798056c 100644
--- a/horde/docs/CHANGES
+++ b/horde/docs/CHANGES
@@ -58,6 +58,7 @@ v4.0-cvs
 v3.3.12-cvs
 -----------
 
+[jan] Fix integer overflow in ASN.1 parser for S/MIME messages.
 [jan] Fix splitread database usage in VFS (Bug #9467).
 [jan] Fix invalidating permission cache in SQL driver (Bug #9392).
 
-- 
2.11.0