From 4dc9b394d397e331f5c14f7e053aafaccc771321 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg2@elzevir.fr>
Date: Wed, 21 Oct 2015 12:23:09 +0200
Subject: [PATCH] Fix other occurrences of same bounds check issue

Security impact is the same: not triggerrable remotely except in very specific
use cases
---
 library/pkwrite.c     | 2 +-
 library/x509_create.c | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/library/pkwrite.c b/library/pkwrite.c
index 0a16eac72..83b798c11 100644
--- a/library/pkwrite.c
+++ b/library/pkwrite.c
@@ -96,7 +96,7 @@ static int pk_write_ec_pubkey( unsigned char **p, unsigned char *start,
         return( ret );
     }
 
-    if( *p - start < (int) len )
+    if( *p < start || (size_t)( *p - start ) < len )
         return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
 
     *p -= len;
diff --git a/library/x509_create.c b/library/x509_create.c
index 3b773c02a..df20ec8eb 100644
--- a/library/x509_create.c
+++ b/library/x509_create.c
@@ -259,13 +259,16 @@ int mbedtls_x509_write_sig( unsigned char **p, unsigned char *start,
     int ret;
     size_t len = 0;
 
-    if( *p - start < (int) size + 1 )
+    if( *p < start || (size_t)( *p - start ) < size )
         return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
 
     len = size;
     (*p) -= len;
     memcpy( *p, sig, len );
 
+    if( *p - start < 1 )
+        return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
+
     *--(*p) = 0;
     len += 1;