fixed out of bounds access/write
This commit is contained in:
parent
68d86644fd
commit
87b2403673
|
@ -227,7 +227,7 @@ des3_encrypt_cbc(const unsigned char *key, int keysize, unsigned char iv[8],
|
|||
|
||||
|
||||
static int
|
||||
des3_decrypt_cbc(const unsigned char *key, int keysize, unsigned char iv[8],
|
||||
des3_decrypt_cbc(const unsigned char *key, int keysize, unsigned char iv[EVP_MAX_IV_LENGTH],
|
||||
const unsigned char *input, size_t length, unsigned char *output)
|
||||
{
|
||||
unsigned char bKey[24] = { 0 };
|
||||
|
|
|
@ -305,8 +305,8 @@ static int encode_file_structure(sc_card_t *card, const sc_file_t *file,
|
|||
u8 *out, size_t *outlen)
|
||||
{
|
||||
const sc_acl_entry_t *read, *update, *delete, *generate;
|
||||
u8 buf[40];
|
||||
int i;
|
||||
u8 buf[41];
|
||||
size_t i;
|
||||
|
||||
LOG_FUNC_CALLED(card->ctx);
|
||||
/* PrivateKey
|
||||
|
@ -412,7 +412,7 @@ static int encode_file_structure(sc_card_t *card, const sc_file_t *file,
|
|||
buf[25] = 0x84;
|
||||
buf[26] = (u8)file->namelen;
|
||||
|
||||
for(i=0;i < (int)file->namelen;i++)
|
||||
for(i=0;i < file->namelen;i++)
|
||||
buf[i + 26] = file->name[i];
|
||||
|
||||
buf[1] = 0x19 + file->namelen + 2;
|
||||
|
|
|
@ -438,7 +438,7 @@ static int setcos_create_file_44(sc_card_t *card, sc_file_t *file)
|
|||
const int* p_idx;
|
||||
int i;
|
||||
int len = 0;
|
||||
u8 bBuf[32];
|
||||
u8 bBuf[64];
|
||||
|
||||
/* Get specific operation groups for specified file-type */
|
||||
switch (file->type){
|
||||
|
|
|
@ -45,7 +45,7 @@ ctbcs_build_perform_verification_apdu(sc_apdu_t *apdu, struct sc_pin_cmd_data *d
|
|||
{
|
||||
const char *prompt;
|
||||
size_t buflen, count = 0, j = 0, len;
|
||||
static u8 buf[254];
|
||||
static u8 buf[256];
|
||||
u8 control;
|
||||
|
||||
ctbcs_init_apdu(apdu,
|
||||
|
@ -113,7 +113,7 @@ ctbcs_build_modify_verification_apdu(sc_apdu_t *apdu, struct sc_pin_cmd_data *da
|
|||
{
|
||||
const char *prompt;
|
||||
size_t buflen, count = 0, j = 0, len;
|
||||
static u8 buf[254];
|
||||
static u8 buf[256];
|
||||
u8 control;
|
||||
|
||||
ctbcs_init_apdu(apdu,
|
||||
|
|
|
@ -510,7 +510,7 @@ static int asepcos_do_create_key(sc_card_t *card, size_t ksize, int fileid,
|
|||
int r;
|
||||
size_t len;
|
||||
sc_file_t *nfile = NULL;
|
||||
u8 buf[512], *p = buf;
|
||||
u8 buf[1024], *p = buf;
|
||||
|
||||
if (sizeof(buf) < kdlen + 11)
|
||||
return SC_ERROR_BUFFER_TOO_SMALL;
|
||||
|
|
|
@ -187,7 +187,7 @@ static int openpgp_generate_key(sc_profile_t *profile, sc_pkcs15_card_t *p15card
|
|||
|
||||
/* The OpenPGP supports only 32-bit exponent. */
|
||||
key_info.exponent_len = 32;
|
||||
key_info.exponent = calloc(4, 1);
|
||||
key_info.exponent = calloc(key_info.exponent_len>>3, 1); /* 1/8 */
|
||||
if (key_info.exponent == NULL)
|
||||
LOG_FUNC_RETURN(ctx, SC_ERROR_NOT_ENOUGH_MEMORY);
|
||||
|
||||
|
@ -204,10 +204,10 @@ static int openpgp_generate_key(sc_profile_t *profile, sc_pkcs15_card_t *p15card
|
|||
|
||||
sc_log(ctx, "Set output exponent info");
|
||||
pubkey->u.rsa.exponent.len = key_info.exponent_len;
|
||||
pubkey->u.rsa.exponent.data = calloc(key_info.exponent_len, 1);
|
||||
pubkey->u.rsa.exponent.data = calloc(key_info.exponent_len>>3, 1); /* 1/8 */
|
||||
if (pubkey->u.rsa.exponent.data == NULL)
|
||||
goto out;
|
||||
memcpy(pubkey->u.rsa.exponent.data, key_info.exponent, key_info.exponent_len);
|
||||
memcpy(pubkey->u.rsa.exponent.data, key_info.exponent, key_info.exponent_len>>3); /* 1/8 */
|
||||
|
||||
out:
|
||||
if (key_info.modulus)
|
||||
|
|
|
@ -716,7 +716,7 @@ static int encode_private_key(RSA *rsa, u8 *key, size_t *keysize)
|
|||
|
||||
static int encode_public_key(RSA *rsa, u8 *key, size_t *keysize)
|
||||
{
|
||||
u8 buf[512], *p = buf;
|
||||
u8 buf[1024], *p = buf;
|
||||
u8 bnbuf[256];
|
||||
int base = 0;
|
||||
int r;
|
||||
|
|
Loading…
Reference in New Issue