From: Thomas Pornin Date: Tue, 29 Nov 2016 15:03:49 +0000 (+0100) Subject: Fixed buffer overrun (read only, usually harmless, but sloppy nonetheless). X-Git-Tag: v0.4~41 X-Git-Url: https://bearssl.org/gitweb//home/git/?a=commitdiff_plain;h=93185df1e78b2d0a06e155cdf255391cff53cfed;p=BearSSL Fixed buffer overrun (read only, usually harmless, but sloppy nonetheless). --- diff --git a/src/symcipher/aes_ct64.c b/src/symcipher/aes_ct64.c index 981e63d..1523811 100644 --- a/src/symcipher/aes_ct64.c +++ b/src/symcipher/aes_ct64.c @@ -378,7 +378,7 @@ br_aes_ct64_skey_expand(uint64_t *skey, { unsigned u, v, n; - n = (num_rounds + 1) << 2; + n = (num_rounds + 1) << 1; for (u = 0, v = 0; u < n; u ++, v += 4) { uint64_t x0, x1, x2, x3; diff --git a/src/symcipher/aes_ct64_cbcdec.c b/src/symcipher/aes_ct64_cbcdec.c index 814dce7..5a7360b 100644 --- a/src/symcipher/aes_ct64_cbcdec.c +++ b/src/symcipher/aes_ct64_cbcdec.c @@ -39,7 +39,7 @@ br_aes_ct64_cbcdec_run(const br_aes_ct64_cbcdec_keys *ctx, void *iv, void *data, size_t len) { unsigned char *buf; - uint64_t sk_exp[240]; + uint64_t sk_exp[120]; uint32_t ivw[4]; br_aes_ct64_skey_expand(sk_exp, ctx->num_rounds, ctx->skey); diff --git a/src/symcipher/aes_ct64_cbcenc.c b/src/symcipher/aes_ct64_cbcenc.c index e320614..6cb9dec 100644 --- a/src/symcipher/aes_ct64_cbcenc.c +++ b/src/symcipher/aes_ct64_cbcenc.c @@ -39,7 +39,7 @@ br_aes_ct64_cbcenc_run(const br_aes_ct64_cbcenc_keys *ctx, void *iv, void *data, size_t len) { unsigned char *buf; - uint64_t sk_exp[240]; + uint64_t sk_exp[120]; uint32_t ivw[4]; br_aes_ct64_skey_expand(sk_exp, ctx->num_rounds, ctx->skey); diff --git a/src/symcipher/aes_ct64_ctr.c b/src/symcipher/aes_ct64_ctr.c index 6d5a566..1275873 100644 --- a/src/symcipher/aes_ct64_ctr.c +++ b/src/symcipher/aes_ct64_ctr.c @@ -53,7 +53,7 @@ br_aes_ct64_ctr_run(const br_aes_ct64_ctr_keys *ctx, { unsigned char *buf; uint32_t ivw[16]; - uint64_t sk_exp[240]; + uint64_t sk_exp[120]; br_aes_ct64_skey_expand(sk_exp, ctx->num_rounds, ctx->skey); br_range_dec32le(ivw, 3, iv);