From 9c413abee1be3384c80054067f89d786962081b8 Mon Sep 17 00:00:00 2001
From: Isaac Klein <fifthdegree@protonmail.com>
Date: Tue, 20 Aug 2024 12:06:13 -0400
Subject: [PATCH 1/2] Fix ASN.1 integer decoding

Treat ASN.1 encoded integers with a leading zero byte and the MSB of the
second byte set as non-negative
---
 winpr/libwinpr/utils/asn1/asn1.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/winpr/libwinpr/utils/asn1/asn1.c b/winpr/libwinpr/utils/asn1/asn1.c
index f1a8d7c1f..d881f8fcf 100644
--- a/winpr/libwinpr/utils/asn1/asn1.c
+++ b/winpr/libwinpr/utils/asn1/asn1.c
@@ -1024,13 +1024,20 @@ static size_t WinPrAsn1DecReadIntegerLike(WinPrAsn1Decoder* dec, WinPrAsn1_tag e
 		return 0;
 
 	WinPrAsn1_INTEGER val = 0;
-	for (size_t x = 0; x < len; x++)
+	UINT8 v = 0;
+
+	Stream_Read_UINT8(&dec->source, v);
+	if (v & 0x80)
+		val = 0xFFFFFFFF;
+	val |= v;
+
+	for (size_t x = 1; x < len; x++)
 	{
-		INT8 v = 0;
-		Stream_Read_INT8(&dec->source, v);
+		Stream_Read_UINT8(&dec->source, v);
 		val = (WinPrAsn1_INTEGER)(((UINT32)val) << 8);
 		val |= v;
 	}
+
 	*target = val;
 	ret += len;
 

From 3fb7bd92cc35e71ea8738f19aee3777b81625b5d Mon Sep 17 00:00:00 2001
From: Isaac Klein <fifthdegree@protonmail.com>
Date: Wed, 21 Aug 2024 14:02:26 -0400
Subject: [PATCH 2/2] Don't accept 0-length ASN.1 integers for decoding

---
 winpr/libwinpr/utils/asn1/asn1.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/winpr/libwinpr/utils/asn1/asn1.c b/winpr/libwinpr/utils/asn1/asn1.c
index d881f8fcf..0121859c4 100644
--- a/winpr/libwinpr/utils/asn1/asn1.c
+++ b/winpr/libwinpr/utils/asn1/asn1.c
@@ -1020,7 +1020,7 @@ static size_t WinPrAsn1DecReadIntegerLike(WinPrAsn1Decoder* dec, WinPrAsn1_tag e
 	size_t ret = readTagAndLen(dec, &dec->source, &tag, &len);
 	if (!ret || (tag != expectedTag))
 		return 0;
-	if (!Stream_CheckAndLogRequiredLength(TAG, &dec->source, len) || (len > 4))
+	if (len == 0 || !Stream_CheckAndLogRequiredLength(TAG, &dec->source, len) || (len > 4))
 		return 0;
 
 	WinPrAsn1_INTEGER val = 0;