error if signature has trailing bytes

2 files changed, 11 insertions, 0 deletions

diff --git a/src/cryptography/hazmat/primitives/asymmetric/utils.py b/src/cryptography/hazmat/primitives/asymmetric/utils.py
index 0140e6c1..a1a40292 100644
--- a/src/cryptography/hazmat/primitives/asymmetric/utils.py
+++ b/src/cryptography/hazmat/primitives/asymmetric/utils.py
@@ -17,6 +17,10 @@ class _DSSSigValue(univ.Sequence):
 
 def decode_rfc6979_signature(signature):
     data = decoder.decode(signature, asn1Spec=_DSSSigValue())
+    if data[1]:
+        raise ValueError(
+            "The signature contains bytes after the end of the ASN.1 sequence."
+        )
     r = int(data[0].getComponentByName('r'))
     s = int(data[0].getComponentByName('s'))
     return (r, s)
diff --git a/tests/hazmat/primitives/test_asym_utils.py b/tests/hazmat/primitives/test_asym_utils.py
index f2f8850f..f8a67b68 100644
--- a/tests/hazmat/primitives/test_asym_utils.py
+++ b/tests/hazmat/primitives/test_asym_utils.py
@@ -4,6 +4,8 @@
 
 from __future__ import absolute_import, division, print_function
 
+import pytest
+
 from cryptography.hazmat.primitives.asymmetric.utils import (
     decode_rfc6979_signature, encode_rfc6979_signature
 )
@@ -32,3 +34,8 @@ def test_rfc6979_signature():
     sig4 = encode_rfc6979_signature(-1, 0)
     assert sig4 == b"0\x06\x02\x01\xFF\x02\x01\x00"
     assert decode_rfc6979_signature(sig4) == (-1, 0)
+
+
+def test_decode_rfc6979_trailing_bytes():
+    with pytest.raises(ValueError):
+        decode_rfc6979_signature(b"0\x06\x02\x01\x01\x02\x01\x01\x00\x00\x00")