Bug 1342372 - check dbentry->len, r=ttaubert

--HG--
extra : rebase_source : ce12237ea08443d7a48cc983ad1a481d7e8a7f0b

lib/softoken/legacydb/pcertdb.c

@@ -733,6 +733,12 @@ DecodeDBCertEntry(certDBEntryCert *entry, SECItem *dbentry)
         entry->derCert.len += lenoff;
     }
 
+    /* Is data long enough? */
+    if (dbentry->len < headerlen + entry->derCert.len) {
+        PORT_SetError(SEC_ERROR_BAD_DATABASE);
+        goto loser;
+    }
+
     /* copy the dercert */
     entry->derCert.data = pkcs11_copyStaticData(&dbentry->data[headerlen],
                                                 entry->derCert.len, entry->derCertSpace, sizeof(entry->derCertSpace));
@@ -743,6 +749,11 @@ DecodeDBCertEntry(certDBEntryCert *entry, SECItem *dbentry)
 
     /* copy the nickname */
     if (nnlen > 1) {
+        /* Is data long enough? */
+        if (dbentry->len < headerlen + entry->derCert.len + nnlen) {
+            PORT_SetError(SEC_ERROR_BAD_DATABASE);
+            goto loser;
+        }
         entry->nickname = (char *)pkcs11_copyStaticData(
             &dbentry->data[headerlen + entry->derCert.len], nnlen,
             (unsigned char *)entry->nicknameSpace,