From b4e66d343e2c72aa0c32c528e0f73853d3695e10 Mon Sep 17 00:00:00 2001
From: Michiel Brandenburg <apex@xepa.nl>
Date: Tue, 11 Sep 2018 11:16:19 +0200
Subject: [PATCH] Fixes #1296 parsing invalid certificate

---
 phpseclib/File/ASN1.php      | 12 ++++++++++++
 tests/Unit/File/ASN1Test.php | 10 ++++++++++
 2 files changed, 22 insertions(+)

diff --git a/phpseclib/File/ASN1.php b/phpseclib/File/ASN1.php
index aa0f43b9..04287c4f 100644
--- a/phpseclib/File/ASN1.php
+++ b/phpseclib/File/ASN1.php
@@ -390,6 +390,9 @@ class File_ASN1
                 $remainingLength = $length;
                 while ($remainingLength > 0) {
                     $temp = $this->_decode_ber($content, $start, $content_pos);
+                    if ($temp === false) {
+                        break;
+                    }
                     $length = $temp['length'];
                     // end-of-content octets - see paragraph 8.1.5
                     if (substr($content, $content_pos + $length, 2) == "\0\0") {
@@ -441,6 +444,9 @@ class File_ASN1
                     $current['content'] = substr($content, $content_pos);
                 } else {
                     $temp = $this->_decode_ber($content, $start, $content_pos);
+                    if ($temp === false) {
+                        return false;
+                    }
                     $length-= (strlen($content) - $content_pos);
                     $last = count($temp) - 1;
                     for ($i = 0; $i < $last; $i++) {
@@ -465,6 +471,9 @@ class File_ASN1
                     $length = 0;
                     while (substr($content, $content_pos, 2) != "\0\0") {
                         $temp = $this->_decode_ber($content, $length + $start, $content_pos);
+                        if ($temp === false) {
+                            return false;
+                        }
                         $content_pos += $temp['length'];
                         // all subtags should be octet strings
                         //if ($temp['type'] != FILE_ASN1_TYPE_OCTET_STRING) {
@@ -497,6 +506,9 @@ class File_ASN1
                         break 2;
                     }
                     $temp = $this->_decode_ber($content, $start + $offset, $content_pos);
+                    if ($temp === false) {
+                        return false;
+                    }
                     $content_pos += $temp['length'];
                     $current['content'][] = $temp;
                     $offset+= $temp['length'];
diff --git a/tests/Unit/File/ASN1Test.php b/tests/Unit/File/ASN1Test.php
index 7e01e1aa..4cf549a5 100644
--- a/tests/Unit/File/ASN1Test.php
+++ b/tests/Unit/File/ASN1Test.php
@@ -331,4 +331,14 @@ class Unit_File_ASN1Test extends PhpseclibTestCase
 
         $this->assertSame($data, $arr);
     }
+
+    /**
+     * @group github1296
+     */
+    public function testInvalidCertificate()
+    {
+        $data = 'a' . base64_decode('MD6gJQYKKwYBBAGCNxQCA6AXDBVvZmZpY2VAY2VydGRpZ2l0YWwucm+BFW9mZmljZUBjZXJ0ZGlnaXRhbC5ybw==');
+        $asn1 = new File_ASN1();
+        $asn1->decodeBER($data);
+    }
 }