From b90c33200e20c786fbe7c2acff2e35729a71af59 Mon Sep 17 00:00:00 2001
From: terrafrost <terrafrost@gmail.com>
Date: Fri, 2 Apr 2021 10:43:15 -0500
Subject: [PATCH] ASN1: don't allow last octet in OID to have MSB set

---
 phpseclib/File/ASN1.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/phpseclib/File/ASN1.php b/phpseclib/File/ASN1.php
index 00c913b8..13975ab7 100644
--- a/phpseclib/File/ASN1.php
+++ b/phpseclib/File/ASN1.php
@@ -517,6 +517,9 @@ class File_ASN1
                 break;
             case FILE_ASN1_TYPE_OBJECT_IDENTIFIER:
                 $current['content'] = $this->_decodeOID(substr($content, $content_pos));
+                if ($current['content'] === false) {
+                    return false;
+                }
                 break;
             /* Each character string type shall be encoded as if it had been declared:
                [UNIVERSAL x] IMPLICIT OCTET STRING
@@ -1228,6 +1231,11 @@ class File_ASN1
         $oid = array();
         $pos = 0;
         $len = strlen($content);
+
+        if (ord($content[$len - 1]) & 0x80) {
+            return false;
+        }
+
         $n = new Math_BigInteger();
         while ($pos < $len) {
             $temp = ord($content[$pos++]);