libsm: fixed out of bounds write

`sm_incr_ssc` performed an out of bounds write when `ssc` is bigger than 255. The local variable `ii` needs to be decremented instead of incremented in the `for`-loop. This was introduced in d30cd83a, wheras The previous implementation did actually decrement `ii`, see d30cd83ad4 Fixes https://github.com/OpenSC/OpenSC/issues/785
2016-06-30 21:50:22 +02:00 · 2016-06-30 21:50:22 +02:00 · e98315a196
commit e98315a196
parent 4441efa6da
1 changed files with 1 additions and 1 deletions
--- a/src/libsm/sm-common.c
+++ b/src/libsm/sm-common.c
@ -359,7 +359,7 @@ sm_incr_ssc(unsigned char *ssc, size_t ssc_len)
 	if (!ssc)
 		return;

-	for (ii = ssc_len - 1;ii >= 0; ii++)   {
+	for (ii = ssc_len - 1; ii >= 0; ii--)   {
 		*(ssc + ii) += 1;
 		if (*(ssc + ii) != 0)
 			break;