From dffba8f63eb833c4c7347a62042237203da80f9a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg@elzevir.fr>
Date: Mon, 1 Jul 2013 17:33:31 +0200
Subject: [PATCH] Fix bug in oid_get_numeric_string()

Overflow check was done too early, causing many false positives.
---
 library/oid.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/library/oid.c b/library/oid.c
index 5cd9a5990..2de7806d2 100644
--- a/library/oid.c
+++ b/library/oid.c
@@ -33,6 +33,7 @@
 #include "polarssl/rsa.h"
 
 #include <stdio.h>
+#include <limits.h>
 
 /*
  * Macro to generate an internal function for oid_XXX_from_asn1() (used by
@@ -521,13 +522,13 @@ int oid_get_numeric_string( char *buf, size_t size,
         SAFE_SNPRINTF();
     }
 
-    /* Prevent overflow in value. */
-    if( oid->len > sizeof(value) )
-        return( POLARSSL_ERR_DEBUG_BUF_TOO_SMALL );
-
     value = 0;
     for( i = 1; i < oid->len; i++ )
     {
+        /* Prevent overflow in value. */
+        if (value > (UINT_MAX >> 7) )
+            return( POLARSSL_ERR_DEBUG_BUF_TOO_SMALL );
+
         value <<= 7;
         value += oid->p[i] & 0x7F;