Fixed buffer overrun (read only, usually harmless, but sloppy nonetheless).
authorThomas Pornin <pornin@bolet.org>
Tue, 29 Nov 2016 15:03:49 +0000 (16:03 +0100)
committerThomas Pornin <pornin@bolet.org>
Tue, 29 Nov 2016 15:03:49 +0000 (16:03 +0100)
src/symcipher/aes_ct64.c
src/symcipher/aes_ct64_cbcdec.c
src/symcipher/aes_ct64_cbcenc.c
src/symcipher/aes_ct64_ctr.c

index 981e63d..1523811 100644 (file)
@@ -378,7 +378,7 @@ br_aes_ct64_skey_expand(uint64_t *skey,
 {
        unsigned u, v, n;
 
-       n = (num_rounds + 1) << 2;
+       n = (num_rounds + 1) << 1;
        for (u = 0, v = 0; u < n; u ++, v += 4) {
                uint64_t x0, x1, x2, x3;
 
index 814dce7..5a7360b 100644 (file)
@@ -39,7 +39,7 @@ br_aes_ct64_cbcdec_run(const br_aes_ct64_cbcdec_keys *ctx,
        void *iv, void *data, size_t len)
 {
        unsigned char *buf;
-       uint64_t sk_exp[240];
+       uint64_t sk_exp[120];
        uint32_t ivw[4];
 
        br_aes_ct64_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
index e320614..6cb9dec 100644 (file)
@@ -39,7 +39,7 @@ br_aes_ct64_cbcenc_run(const br_aes_ct64_cbcenc_keys *ctx,
        void *iv, void *data, size_t len)
 {
        unsigned char *buf;
-       uint64_t sk_exp[240];
+       uint64_t sk_exp[120];
        uint32_t ivw[4];
 
        br_aes_ct64_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
index 6d5a566..1275873 100644 (file)
@@ -53,7 +53,7 @@ br_aes_ct64_ctr_run(const br_aes_ct64_ctr_keys *ctx,
 {
        unsigned char *buf;
        uint32_t ivw[16];
-       uint64_t sk_exp[240];
+       uint64_t sk_exp[120];
 
        br_aes_ct64_skey_expand(sk_exp, ctx->num_rounds, ctx->skey);
        br_range_dec32le(ivw, 3, iv);