From acc40fdaf7bb09aafc912a687ca6ed063ecaface Mon Sep 17 00:00:00 2001
From: 0xmrma <moabdelaal442004@gmail.com>
Date: Sun, 1 Mar 2026 09:18:21 +0200
Subject: [PATCH] der: reject truncated lengths in octet/implicit/constructed

---
 src/ecdsa/der.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/ecdsa/der.py b/src/ecdsa/der.py
index 7a06b681..5d35d698 100644
--- a/src/ecdsa/der.py
+++ b/src/ecdsa/der.py
@@ -163,6 +163,8 @@ def remove_constructed(string):
         )
     tag = s0 & 0x1F
     length, llen = read_length(string[1:])
+    if length > len(string) - 1 - llen:
+        raise UnexpectedDER("Length longer than the provided buffer")
     body = string[1 + llen : 1 + llen + length]
     rest = string[1 + llen + length :]
     return tag, body, rest
@@ -206,6 +208,8 @@ def remove_implicit(string, exp_class="context-specific"):
 
     tag = s0 & 0x1F
     length, llen = read_length(string[1:])
+    if length > len(string) - 1 - llen:
+        raise UnexpectedDER("Length longer than the provided buffer")
     body = string[1 + llen : 1 + llen + length]
     rest = string[1 + llen + length :]
     return tag, body, rest
@@ -229,6 +233,8 @@ def remove_octet_string(string):
         n = str_idx_as_int(string, 0)
         raise UnexpectedDER("wanted type 'octetstring' (0x04), got 0x%02x" % n)
     length, llen = read_length(string[1:])
+    if length > len(string) - 1 - llen:
+        raise UnexpectedDER("Length longer than the provided buffer")
     body = string[1 + llen : 1 + llen + length]
     rest = string[1 + llen + length :]
     return body, rest