Off-by-one in ASN1 Parser
There is a off-by-one in egg-asn1x.c:
In line 729 and 730, inside the atlv_parse_cls_tag
function, the following two
lines break when running with ASAN:
while (punt <= n_data) {
val = at[punt++];
https://gitlab.gnome.org/GNOME/gnome-keyring/blob/master/egg/egg-asn1x.c#L729
For the edge case, after increasing punt
to a value larger than n_data
, reading from at
at this position reads out of bounds.