libtomcrypt: fix vulnerability in der_decode_utf8_string CVE-2019-17362

[ynezz]

[ cherry pick of upstream commit 64d1153e5a515740ab56f39c46baf4cf6991a9d3 ]

The der_decode_utf8_string function (in der_decode_utf8_string.c) does not properly detect certain invalid UTF-8 sequences. This allows context-dependent attackers to cause a denial of service (out-of-bounds read and crash) or read information from other memory locations via carefully crafted DER-encoded data.

To exploit this vulnerability an attacker must be able to provide crafted DER-encoded data to LibTomCrypt (e.g. by importing a X509 certificate). Information disclosure is made possible by a 2-steps attack where the imported data is later somehow re-encoded and sent to the attacker (e.g. import and then export X509 certificate).

Fixes: CVE-2019-17362 References: https://github.com/libtom/libtomcrypt/issues/507