x509asn1: make encodeOID stop on too long input

[bagder]

Plus two other minor fixups.

Reported-by: John Rodriguez

[bagder]

@aisle-analyzer augment review

[aisle-research-bot]

🔒 Aisle Security Analysis

✅ We scanned this PR and did not find any security vulnerabilities.

_{Aisle supplements but does not replace security review.}

---

Analyzed PR: #20871 at commit a0f4ebb

_{Last updated on: 2026-03-09T19:31:41Z}

[augmentcode]

🤖 Augment PR Summary

Summary: Tightens X.509 ASN.1 parsing to avoid overruns/underflows on malformed inputs.
Changes: encodeOID() now bails out when OID subidentifiers run past the input, Curl_parseX509() avoids calling getASN1Element() with a NULL cursor, and ECC public key length computation adds a minimum-size guard.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 2 suggestions posted.

Comment augment review to trigger a new review at any time.

[Copilot]

Pull request overview

This PR hardens X.509 ASN.1 parsing and certificate info extraction by improving bounds/error handling in OID parsing and public key parsing, plus a small cleanup around dynbuf lifetime.

Changes:

• Prevent out-of-bounds reads in encodeOID() when encountering a truncated base-128 OID component.
• Ensure temporary dynbuf used for symbolic OID lookup is always freed.
• Add additional guardrails in X.509 parsing (issuer extraction) and ECC public key handling for undersized inputs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.