From 3479195d052cc59db5358730ff3ad829abb7aced Mon Sep 17 00:00:00 2001
From: Thomas Pornin <thomas.pornin@nccgroup.com>
Date: Sat, 4 Apr 2026 11:18:55 -0400
Subject: [PATCH] Fixed chunked decoding in case of errors (if decoding failed
 at some point, subsequent chunks should be ignored, trying to reenter the
 decoder after a failure is a recipe for Bad Thing). Impacted functions were
 not used over malicious on-the-wire data for "normal" SSL/TLS usage.

Bug was reported by Thai Duong at Calif.io (apparently using some AI from Anthropic Research).
---
 src/x509/skey_decoder.c  | 3 +++
 src/x509/skey_decoder.t0 | 3 +++
 src/x509/x509_decoder.c  | 3 +++
 src/x509/x509_decoder.t0 | 3 +++
 4 files changed, 12 insertions(+)

diff --git a/src/x509/skey_decoder.c b/src/x509/skey_decoder.c
index 9e285d7..9fe22bd 100644
--- a/src/x509/skey_decoder.c
+++ b/src/x509/skey_decoder.c
@@ -94,6 +94,9 @@ void
 br_skey_decoder_push(br_skey_decoder_context *ctx,
 	const void *data, size_t len)
 {
+	if (ctx->err != 0) {
+		return;
+	}
 	ctx->hbuf = data;
 	ctx->hlen = len;
 	br_skey_decoder_run(&ctx->cpu);
diff --git a/src/x509/skey_decoder.t0 b/src/x509/skey_decoder.t0
index f00e614..76b415a 100644
--- a/src/x509/skey_decoder.t0
+++ b/src/x509/skey_decoder.t0
@@ -43,6 +43,9 @@ void
 br_skey_decoder_push(br_skey_decoder_context *ctx,
 	const void *data, size_t len)
 {
+	if (ctx->err != 0) {
+		return;
+	}
 	ctx->hbuf = data;
 	ctx->hlen = len;
 	br_skey_decoder_run(&ctx->cpu);
diff --git a/src/x509/x509_decoder.c b/src/x509/x509_decoder.c
index 8dd970f..d87e576 100644
--- a/src/x509/x509_decoder.c
+++ b/src/x509/x509_decoder.c
@@ -103,6 +103,9 @@ void
 br_x509_decoder_push(br_x509_decoder_context *ctx,
 	const void *data, size_t len)
 {
+	if (ctx->err != 0) {
+		return;
+	}
 	ctx->hbuf = data;
 	ctx->hlen = len;
 	br_x509_decoder_run(&ctx->cpu);
diff --git a/src/x509/x509_decoder.t0 b/src/x509/x509_decoder.t0
index 0bf276f..036f501 100644
--- a/src/x509/x509_decoder.t0
+++ b/src/x509/x509_decoder.t0
@@ -52,6 +52,9 @@ void
 br_x509_decoder_push(br_x509_decoder_context *ctx,
 	const void *data, size_t len)
 {
+	if (ctx->err != 0) {
+		return;
+	}
 	ctx->hbuf = data;
 	ctx->hlen = len;
 	br_x509_decoder_run(&ctx->cpu);
-- 
2.17.1