md->state_var.curlen theoretically could be sizeof(buf) so overflow could happen.
Need REALLY proper review. Signed-off-by: Jan Friesse <jfrie...@redhat.com> --- exec/crypto.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/exec/crypto.c b/exec/crypto.c index 901797a..5e0e8a6 100644 --- a/exec/crypto.c +++ b/exec/crypto.c @@ -287,6 +287,9 @@ int func_name (hash_state * md, const unsigned char *buf, unsigned long len) len -= block_size; \ } else { \ n = MIN(len, (block_size - md-> state_var .curlen)); \ + if (md-> state_var .curlen == sizeof(md-> state_var .buf)) { \ + return CRYPT_INVALID_ARG; \ + } \ memcpy(md-> state_var .buf + md-> state_var.curlen, buf, (size_t)n); \ md-> state_var .curlen += n; \ buf += n; \ -- 1.7.1 _______________________________________________ Openais mailing list Openais@lists.linux-foundation.org https://lists.linux-foundation.org/mailman/listinfo/openais