From 027e4a08679c1bacb139e990ec33b8a61f3d416a Mon Sep 17 00:00:00 2001
From: Frank Morgner <morgner@informatik.hu-berlin.de>
Date: Wed, 28 Jan 2015 05:59:41 +0100
Subject: [PATCH] fixed out of bounds read

---
 src/libopensc/ctx.c         | 2 +-
 src/libopensc/reader-pcsc.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/libopensc/ctx.c b/src/libopensc/ctx.c
index daade137..fa94dc14 100644
--- a/src/libopensc/ctx.c
+++ b/src/libopensc/ctx.c
@@ -840,7 +840,7 @@ int sc_set_card_driver(sc_context_t *ctx, const char *short_name)
 	if (short_name == NULL) {
 		ctx->forced_driver = NULL;
 		match = 1;
-	} else while (ctx->card_drivers[i] != NULL && i < SC_MAX_CARD_DRIVERS) {
+	} else while (i < SC_MAX_CARD_DRIVERS && ctx->card_drivers[i] != NULL) {
 		struct sc_card_driver *drv = ctx->card_drivers[i];
 
 		if (strcmp(short_name, drv->short_name) == 0) {
diff --git a/src/libopensc/reader-pcsc.c b/src/libopensc/reader-pcsc.c
index b6a33c7a..da65c3fb 100644
--- a/src/libopensc/reader-pcsc.c
+++ b/src/libopensc/reader-pcsc.c
@@ -768,7 +768,7 @@ static unsigned long part10_detect_pace_capabilities(sc_reader_t *reader)
         PACE_FUNCTION_GetReaderPACECapabilities, /* idxFunction */
         0, 0,                                    /* lengthInputData */
     };
-    u8 rbuf[6];
+    u8 rbuf[7];
     u8 *p = rbuf;
     size_t rcount = sizeof rbuf;
     struct pcsc_private_data *priv;