Pierre Vittet <pier...@pvittet.com> writes: > The bug appears when: > 1) We use libiberty compiled with -O0 > 2) We first call md5_process_bytes with a less than 64 bits buffer (we > call his size len1). > 3) We make a new call of md5_process_bytes with a buffer which has a > size len2 such as: > len2 > 127 + 65 (so test in line 228 of md5.C will be true) > 128 -len1 != Mulint with Mulint % __alignof__ (md5_uint32) != 0 (so > condition on line 238 is true) > len2 - (128 - len1) = Mul64 and Mul64 such as Mul %64=0 (so the loop of > line 239 is broken with len = 64, this leads to the bug as, line 249, > (len & ~63) = 64 and we shift the buffer without processing the data).
The line numbers you mention do not correspond to any version of libiberty/md5.c that I can see. Can you list the exact line for each line number you mention, so that your explanation is easier to follow? Thanks. Ian
