ASN.1 parser references uninitialized string offset #1676

LeonMelis · 2021-06-23T10:23:59Z

I found that with certain ASN.1 input, the parser may cause a read at an uninitialized string offset, which throws a notice.

<?php

error_reporting(E_ALL);

require_once __DIR__ . '/vendor/autoload.php';

use phpseclib3\File\X509;

$cert = <<<CERT
-----BEGIN CERTIFICATE-----
MIIEkzCCBEqgAwIBAgIIEmRlUm7s79UwCgYIKoZIzj0EAwIwgbYxCzAJBgNVBAYT
AklTMQwwCgYDVQQIEwNOL0ExEjAQBgNVBAcTCVJleWtqYXZpazEMMAoGA1UEChMD
bWVoMR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjETMBEGCysGAQQBgjc8
AgEDEwJJUzEUMBIGCysGAQQBgjc8AgECEwNOL0ExDTALBgNVBAUTBDEzMzcxEDAO
BgNVBAkTB1Bvc3Rib3gxDDAKBgNVBBETAzEwNDAeFw0yMTAxMDcwMDAwMDBaFw0z
MTAxMDYyMzU5NTlaMIG2MQswCQYDVQQGEwJJUzEMMAoGA1UECBMDTi9BMRIwEAYD
VQQHEwlSZXlramF2aWsxDDAKBgNVBAoTA21laDEdMBsGA1UEDxMUUHJpdmF0ZSBP
cmdhbml6YXRpb24xEzARBgsrBgEEAYI3PAIBAxMCSVMxFDASBgsrBgEEAYI3PAIB
AhMDTi9BMQ0wCwYDVQQFEwQxMzM3MRAwDgYDVQQJEwdQb3N0Ym94MQwwCgYDVQQR
EwMxMDQwSTATBgcqhkjOPQIBBggqhkjOPQMBAQMyAARbzSfn7js0+KX+EyjIQatf
7b8rIrrvEyByyXfZ65NfJ1putLP2+HU7j6WTEi+FqBKjggJOMIICSjAMBgNVHRMB
Af8EAjAAMB0GA1UdDgQWBBQdLvJ3zvgZMCppjrSGt2P8pUSiSTAfBgNVHSMEGDAW
gBQdLvJ3zvgZMCppjrSGt2P8pUSiSTARBgNVHREECjAIggZtZWguaXMwXgYIKwYB
BQUHAQEEUjBQME4GCCsGAQUFBzAChkJodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5j
b20vRGlnaUNlcnRWZXJpZmllZE1hcmtJbnRlcm1lZGlhdGVDQS5jcnQwgYoGCisG
AQQB1nkCBAIEfAR6AHgAdgBVWVOuMJYAgGzS61IIpsmekxgorBBWtEIcVTYVTF91
rAAAAXbaW0PdAAAEAwBHMEUCID/smNzHkklIn4Lf57esZo1NYP0Sfx80ljPzzpWq
ifSbAiEA73Sid6AEBPjLnF6DXErf/FfGSot75m+L5W2Yqe44p4UwDQYIKwYBBQUH
AQwEAQAwTwYDVR0gBEgwRjA2BglghkgBhv1sCgEwKTAnBggrBgEFBQcCARYbaHR0
cDovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAwGCisGAQQBg55fAQEwgZkGA1UdHwSB
kTCBjjBFoEOgQYY/aHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0RpZ2lDZXJ0VmVy
aWZpZWRNYXJrSW50ZXJtZWRpYXRlQ0EuY3JsMEWgQ6BBhj9odHRwOi8vY3JsNC5k
aWdpY2VydC5jb20vRGlnaUNlcnRWZXJpZmllZE1hcmtJbnRlcm1lZGlhdGVDQS5j
cmwwCgYIKoZIzj0EAwIDNwAwNAIYGv+9tEObsRgsHRklqvbrUONkmIro4MPjAhg8
lTRlAoTDx7rDUrn5uqZ7lfwRTfcstRk=
-----END CERTIFICATE-----
CERT;

$x509 = new X509();
$x509->loadX509($cert, X509::FORMAT_PEM);

Will result in the following log notice:

PHP Notice:  Uninitialized string offset: 1 in vendor/phpseclib/phpseclib/phpseclib/File/ASN1.php on line 267

This cert seems to contain an empty pe-logotype (OID 1.3.6.1.5.5.7.1.12) extension. Though this makes the cert invalid for BIMI (the main use of pe-logotype), it think this ASN.1 should still be valid and not cause a notice in the logs.

The text was updated successfully, but these errors were encountered:

LeonMelis · 2021-06-23T10:27:44Z

I forgot to add: the sample above was tested with phpseclib 3.0.9, but it is also reproducable with phpseclib 2.

terrafrost · 2021-06-25T02:50:47Z

973bb07 should fix this.

Thanks!

terrafrost closed this as completed Jun 25, 2021

terrafrost referenced this issue Jun 25, 2021

ASN1: return false when not enough bytes are available

973bb07

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ASN.1 parser references uninitialized string offset #1676

ASN.1 parser references uninitialized string offset #1676

LeonMelis commented Jun 23, 2021

LeonMelis commented Jun 23, 2021

terrafrost commented Jun 25, 2021

ASN.1 parser references uninitialized string offset #1676

ASN.1 parser references uninitialized string offset #1676

Comments

LeonMelis commented Jun 23, 2021

LeonMelis commented Jun 23, 2021

terrafrost commented Jun 25, 2021