From 0779e847f79851419dfeb39595b1817ce72ea9fa Mon Sep 17 00:00:00 2001
From: Ryan Liptak <squeek502@hotmail.com>
Date: Mon, 17 Feb 2025 16:18:33 -0800
Subject: [PATCH] Skip empty/invalid records/certs in MacOS keychain files

In the original PR that implemented this (https://github.com/ziglang/zig/pull/14325), it included a list of references for the keychain format. Multiple of those references include the checks that are added in this commit, and empirically this fixes the loading of a real keychain file that was previously failing (it had both a record with offset 0 and a record with cert_size 0).

Fixes #22870
---
 lib/std/crypto/Certificate/Bundle/macos.zig | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/std/crypto/Certificate/Bundle/macos.zig b/lib/std/crypto/Certificate/Bundle/macos.zig
index 7fb16af543..e8e296a034 100644
--- a/lib/std/crypto/Certificate/Bundle/macos.zig
+++ b/lib/std/crypto/Certificate/Bundle/macos.zig
@@ -61,10 +61,16 @@ pub fn rescanMac(cb: *Bundle, gpa: Allocator) RescanMacError!void {
             }
 
             for (record_list) |record_offset| {
+                // An offset of zero means that the record is not present.
+                // An offset that is not 4-byte-aligned is invalid.
+                if (record_offset == 0 or record_offset % 4 != 0) continue;
+
                 try stream.seekTo(db_header.schema_offset + table_offset + record_offset);
 
                 const cert_header = try reader.readStructEndian(X509CertHeader, .big);
 
+                if (cert_header.cert_size == 0) continue;
+
                 try cb.bytes.ensureUnusedCapacity(gpa, cert_header.cert_size);
 
                 const cert_start = @as(u32, @intCast(cb.bytes.items.len));