From 96da2df7ec5f59eede0566667935fc36a271b83c Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Wed, 3 Aug 2016 17:04:44 -0700
Subject: [PATCH] Additional max index and serial number size checks in
 "GetSerialNumber".

---
 wolfcrypt/src/asn.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 4a75f5e6f..025bb1c7b 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -5291,6 +5291,10 @@ WOLFSSL_LOCAL int GetSerialNumber(const byte* input, word32* inOutIdx,
     }
 
     /* First byte is ASN type */
+    if ((*inOutIdx+1) > maxIdx) {
+        WOLFSSL_MSG("Bad idx first");
+        return BUFFER_E;
+    }
     b = input[*inOutIdx];
     *inOutIdx += 1;
 
@@ -5303,11 +5307,17 @@ WOLFSSL_LOCAL int GetSerialNumber(const byte* input, word32* inOutIdx,
         return ASN_PARSE_E;
     }
 
-    if (*serialSz > EXTERNAL_SERIAL_SIZE) {
-        WOLFSSL_MSG("Serial Size too big");
+    if (*serialSz < 0 || *serialSz > EXTERNAL_SERIAL_SIZE) {
+        WOLFSSL_MSG("Serial size bad");
         return ASN_PARSE_E;
     }
 
+    /* serial size check */
+    if ((*inOutIdx + *serialSz) > maxIdx) {
+        WOLFSSL_MSG("Bad idx serial");
+        return BUFFER_E;
+    }
+
     /* skip padding */
     if (input[*inOutIdx] == 0x00) {
         *serialSz -= 1;