commit 65fc211015cfcac27b10d0876054156c97225f50
Author: Jakub Jelen <jjelen@redhat.com>
Date:   Tue Nov 25 15:58:02 2025 +0100

    pkcs15: Avoid buffer overrun on invalid data
    
    Invalid data can contain zero-length buffer, which after copying
    was dereferenced without length check
    
    Credit: Aldo Ristori
    
    Signed-off-by: Jakub Jelen <jjelen@redhat.com>

diff --git a/src/libopensc/pkcs15-pubkey.c b/src/libopensc/pkcs15-pubkey.c
index e55296582..72d207bfb 100644
--- a/src/libopensc/pkcs15-pubkey.c
+++ b/src/libopensc/pkcs15-pubkey.c
@@ -1332,6 +1332,10 @@ sc_pkcs15_pubkey_from_spki_fields(struct sc_context *ctx, struct sc_pkcs15_pubke
 	       "sc_pkcs15_pubkey_from_spki_fields() called: %p:%"SC_FORMAT_LEN_SIZE_T"u\n%s",
 	       buf, buflen, sc_dump_hex(buf, buflen));
 
+	if (buflen < 1) {
+		LOG_TEST_RET(ctx, SC_ERROR_INVALID_DATA, "subjectPublicKeyInfo can not be empty");
+	}
+
 	tmp_buf = malloc(buflen);
 	if (!tmp_buf) {
 		r = SC_ERROR_OUT_OF_MEMORY;