From 475966761551a098f58dc4b0670e667465e01783 Mon Sep 17 00:00:00 2001
From: Evgeny Margolis <emargolis@google.com>
Date: Wed, 15 Jun 2022 17:14:41 -0700
Subject: [PATCH] Fixed Potential Integer Overflow in ASN1Reader::Next() Method
 (#19627)

---
 src/lib/asn1/ASN1Reader.cpp | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/lib/asn1/ASN1Reader.cpp b/src/lib/asn1/ASN1Reader.cpp
index 6ac0605149d0fc..30b8f1c493cb58 100644
--- a/src/lib/asn1/ASN1Reader.cpp
+++ b/src/lib/asn1/ASN1Reader.cpp
@@ -53,7 +53,9 @@ CHIP_ERROR ASN1Reader::Next()
     ReturnErrorCodeIf(EndOfContents, ASN1_END);
     ReturnErrorCodeIf(IndefiniteLen, ASN1_ERROR_UNSUPPORTED_ENCODING);
 
-    mElemStart += (mHeadLen + ValueLen);
+    // Note: avoid using addition assignment operator (+=), which may result in integer overflow
+    // in the right hand side of an assignment (mHeadLen + ValueLen).
+    mElemStart = mElemStart + mHeadLen + ValueLen;
 
     ResetElementState();