Remove wrong null check

aidangarske · aidangarske · commit 73887a15c6cb · 2026-03-21T14:24:57.000-07:00
1. #552 fix corrected — Removed out == NULL from the guard; outSz == NULL check remains
  2. Copilot review: overflow guard in wolfTPM2_UnloadHandles — Added pre-loop handleStart + handleCount overflow check
  3. Copilot review: BER indefinite-length — Reject bytes == 0 in TPM2_ASN_GetLength_ex
  4. Copilot review: bounds check before X.509 version read — Added len &lt;= 0 || idx &gt;= inputSz check before accessing input[idx]
  5. Build fix — Cast inputSz to word32 for sign-compare warning
diff --git a/src/tpm2_asn.c b/src/tpm2_asn.c
@@ -56,7 +56,8 @@ int TPM2_ASN_GetLength_ex(const uint8_t* input, word32* inOutIdx, int* len,
     b = input[idx++];
     if (b >= TPM2_ASN_LONG_LENGTH) {
         word32 bytes = b & 0x7F;
-        if (bytes > 3 || (idx + bytes) > maxIdx) {
+        /* DER does not allow BER indefinite-length (0x80 => bytes == 0) */
+        if (bytes == 0 || bytes > 3 || (idx + bytes) > maxIdx) {
             return TPM_RC_INSUFFICIENT;
         }
         while (bytes--) {
@@ -187,6 +188,12 @@ int TPM2_ASN_DecodeX509Cert(uint8_t* input, int inputSz,
                                &idx, &len, inputSz);
     }
 
+    if (rc >= 0) {
+        if (len <= 0 || idx >= (word32)inputSz) {
+            rc = TPM_RC_VALUE;
+        }
+    }
+
     if (rc >= 0) {
         /* check version tag is INTEGER */
         if (input[idx] != TPM2_ASN_INTEGER) {
diff --git a/src/tpm2_wrap.c b/src/tpm2_wrap.c
@@ -3277,7 +3277,7 @@ int wolfTPM2_ExportPublicKeyBuffer(WOLFTPM2_DEV* dev, WOLFTPM2_KEY* tpmKey,
     #endif
     } key;
 
-    if (dev == NULL || tpmKey == NULL || out == NULL || outSz == NULL) {
+    if (dev == NULL || tpmKey == NULL || outSz == NULL) {
         return BAD_FUNC_ARG;
     }
 
@@ -6295,6 +6295,9 @@ int wolfTPM2_UnloadHandles(WOLFTPM2_DEV* dev, word32 handleStart,
     if (dev == NULL) {
         return BAD_FUNC_ARG;
     }
+    if (handleCount != 0 && handleStart > (word32)0xFFFFFFFF - (handleCount - 1)) {
+        return BAD_FUNC_ARG;
+    }
     XMEMSET(&handle, 0, sizeof(handle));
     wolfTPM2_CopyAuth(&handle.auth, &dev->session[0].auth);
 
