[pkg-opensc-commit] [opensc] 31/295: libsm: fixed out of bounds write

[Eric Dorland]

This is an automated email from the git hooks/post-receive script.

eric pushed a commit to branch master
in repository opensc.

commit e98315a1966d73d4b6be733cc0a94a85ebfa7916
Author: Frank Morgner <frankmorgner at gmail.com>
Date:   Thu Jun 30 21:50:22 2016 +0200

    libsm: fixed out of bounds write
    
    `sm_incr_ssc` performed an out of bounds write when `ssc` is bigger than
    255. The local variable `ii` needs to be decremented instead of
    incremented in the `for`-loop.
    
    This was introduced in d30cd83a, wheras The previous implementation did
    actually decrement `ii`, see d30cd83ad4b62f2d158cc7b61fa0022afc5d0af2
    
    Fixes https://github.com/OpenSC/OpenSC/issues/785
---
 src/libsm/sm-common.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libsm/sm-common.c b/src/libsm/sm-common.c
index 87d5907..144fe86 100644
--- a/src/libsm/sm-common.c
+++ b/src/libsm/sm-common.c
@@ -359,7 +359,7 @@ sm_incr_ssc(unsigned char *ssc, size_t ssc_len)
 	if (!ssc)
 		return;
 
-	for (ii = ssc_len - 1;ii >= 0; ii++)   {
+	for (ii = ssc_len - 1; ii >= 0; ii--)   {
 		*(ssc + ii) += 1;
 		if (*(ssc + ii) != 0)
 			break;

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/opensc.git