From e98315a1966d73d4b6be733cc0a94a85ebfa7916 Mon Sep 17 00:00:00 2001 From: Frank Morgner Date: Thu, 30 Jun 2016 21:50:22 +0200 Subject: [PATCH] libsm: fixed out of bounds write `sm_incr_ssc` performed an out of bounds write when `ssc` is bigger than 255. The local variable `ii` needs to be decremented instead of incremented in the `for`-loop. This was introduced in d30cd83a, wheras The previous implementation did actually decrement `ii`, see d30cd83ad4b62f2d158cc7b61fa0022afc5d0af2 Fixes https://github.com/OpenSC/OpenSC/issues/785 --- src/libsm/sm-common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libsm/sm-common.c b/src/libsm/sm-common.c index 87d5907f..144fe86d 100644 --- a/src/libsm/sm-common.c +++ b/src/libsm/sm-common.c @@ -359,7 +359,7 @@ sm_incr_ssc(unsigned char *ssc, size_t ssc_len) if (!ssc) return; - for (ii = ssc_len - 1;ii >= 0; ii++) { + for (ii = ssc_len - 1; ii >= 0; ii--) { *(ssc + ii) += 1; if (*(ssc + ii) != 0) break;