From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-851205-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 8A3AB1384B4
	for <garchives@archives.gentoo.org>; Sat, 12 Dec 2015 09:21:25 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id DCB5921C058;
	Sat, 12 Dec 2015 09:21:22 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 63B6721C058
	for <gentoo-commits@lists.gentoo.org>; Sat, 12 Dec 2015 09:21:22 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 295DD3408A2
	for <gentoo-commits@lists.gentoo.org>; Sat, 12 Dec 2015 09:21:20 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 3C968B04
	for <gentoo-commits@lists.gentoo.org>; Sat, 12 Dec 2015 09:21:16 +0000 (UTC)
From: "Ulrich Müller" <ulm@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Ulrich Müller" <ulm@gentoo.org>
Message-ID: <1449593812.d37ba903d8d0c9c3d7de8280b55229c23cebad18.ulm@gentoo>
Subject: [gentoo-commits] dev/ulm:master commit in: patchsets/skey/1.1.5/
X-VCS-Repository: dev/ulm
X-VCS-Files: patchsets/skey/1.1.5/14_all_extract-insert.patch
X-VCS-Directories: patchsets/skey/1.1.5/
X-VCS-Committer: ulm
X-VCS-Committer-Name: Ulrich Müller
X-VCS-Revision: d37ba903d8d0c9c3d7de8280b55229c23cebad18
X-VCS-Branch: master
Date: Sat, 12 Dec 2015 09:21:16 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 34cfad70-874c-43c6-becf-4896e4fa1bae
X-Archives-Hash: 2965c731c9dc8e99df1d46fff5b38cd6

commit:     d37ba903d8d0c9c3d7de8280b55229c23cebad18
Author:     Ulrich Müller <ulm <AT> gentoo <DOT> org>
AuthorDate: Tue Dec  8 16:56:52 2015 +0000
Commit:     Ulrich Müller <ulm <AT> gentoo <DOT> org>
CommitDate: Tue Dec  8 16:56:52 2015 +0000
URL:        https://gitweb.gentoo.org/dev/ulm.git/commit/?id=d37ba903

put.c: Avoid out of bounds stack read.

Fix the extract() function not to access unnecessary array elements;
this avoids an out-of-bounds read when called from btoe() or etob().
Change the insert() function to use similar logic as extract().

Bug: 567608

 patchsets/skey/1.1.5/14_all_extract-insert.patch | 84 ++++++++++++++++++++++++
 1 file changed, 84 insertions(+)

diff --git a/patchsets/skey/1.1.5/14_all_extract-insert.patch b/patchsets/skey/1.1.5/14_all_extract-insert.patch
new file mode 100644
index 0000000..62e3efc
--- /dev/null
+++ b/patchsets/skey/1.1.5/14_all_extract-insert.patch
@@ -0,0 +1,84 @@
+https://bugs.gentoo.org/567608
+Fix the extract() function not to access unnecessary array elements;
+this avoids an out-of-bounds read when called from btoe() or etob().
+Change the insert() function to use similar logic as extract().
+
+--- skey-1.1.5-orig/put.c
++++ skey-1.1.5/put.c
+@@ -2221,37 +2221,20 @@
+ 
+ static void insert(char *s, int x, int start, int length)
+ {
+-	unsigned char cl;
+-	unsigned char cc;
+-	unsigned char cr;
+ 	unsigned int y;
+-	int shift;
++	int end, i;
+ 
+ 	assert(length <= 11);
+ 	assert(start >= 0);
+ 	assert(length >= 0);
+ 	assert(start + length <= 66);
+ 
+-	shift = ((8 - ((start + length) % 8)) % 8);
+-	y = (int) x << shift;
+-	cl = (y >> 16) & 0xff;
+-	cc = (y >> 8) & 0xff;
+-	cr = y & 0xff;
+-	if (shift + length > 16) 
+-	{
+-		s[start / 8] |= cl;
+-		s[start / 8 + 1] |= cc;
+-		s[start / 8 + 2] |= cr;
+-	} 
+-	else if (shift + length > 8) 
+-	{
+-		s[start / 8] |= cc;
+-		s[start / 8 + 1] |= cr;
+-	} 
+-	else 
+-	{
+-		s[start / 8] |= cr;
+- 	}
++	end = start + length - 1;
++	y = x << (7 - end % 8);
++	for (i = end / 8; i >= start / 8; i--) {
++		s[i] |= y & 0xff;
++		y >>= 8;
++	}
+ }
+ 
+ static void standard(char *word)
+@@ -2274,22 +2257,22 @@
+ /* Extract 'length' bits from the char array 's' starting with bit 'start' */
+ static unsigned int extract(char *s, int start, int length)
+ {
+-	unsigned char cl;
+-	unsigned char cc;
+-	unsigned char cr;
+ 	unsigned int x;
++	int end, i;
+ 
+ 	assert(length <= 11);
+ 	assert(start >= 0);
+ 	assert(length >= 0);
+ 	assert(start + length <= 66);
+ 
+-	cl = s[start / 8];
+-	cc = s[start / 8 + 1];
+-	cr = s[start / 8 + 2];
+-	x = ((int)(cl << 8 | cc) << 8 | cr);
+-	x = x >> (24 - (length + (start % 8)));
+-	x = (x & (0xffff >> (16 - length)));
++	end = start + length - 1;
++	x = 0;
++	for (i = start / 8; i <= end / 8; i++) {
++		x <<= 8;
++		x |= (unsigned char)s[i];
++	}
++	x >>= 7 - end % 8;
++	x &= (1 << length) - 1;
+ 
+ 	return x;
+ }