Skip to content

Commit

Permalink
myeid: fixed CID 380538 Out-of-bounds read (OVERRUN)
Browse files Browse the repository at this point in the history
also fixes output buffer size checking
  • Loading branch information
popovec authored and Jakuje committed Jul 3, 2023
1 parent 232265d commit f1993dc
Showing 1 changed file with 6 additions and 4 deletions.
10 changes: 6 additions & 4 deletions src/libopensc/card-myeid.c
Original file line number Diff line number Diff line change
Expand Up @@ -1986,18 +1986,20 @@ myeid_enc_dec_sym(struct sc_card *card, const u8 *data, size_t datalen,
sc_log(ctx, "Found padding byte %02x", pad_byte);
if (pad_byte == 0 || pad_byte > block_size)
LOG_FUNC_RETURN(ctx, SC_ERROR_WRONG_PADDING);
sdata = priv->sym_plain_buffer + block_size - pad_byte;
sdata = priv->sym_plain_buffer + block_size;
for (i = 0; i < pad_byte; i++)
if (sdata[i] != pad_byte)
if (*(--sdata) != pad_byte)
LOG_FUNC_RETURN(ctx, SC_ERROR_WRONG_PADDING);
return_len = block_size - pad_byte;
}
*outlen = return_len;
/* application can request buffer size or actual buffer size is too small */
if (out == NULL)
if (out == NULL) {
*outlen = return_len;
LOG_FUNC_RETURN(ctx, SC_SUCCESS);
}
if (return_len > *outlen)
LOG_FUNC_RETURN(ctx, SC_ERROR_BUFFER_TOO_SMALL);
*outlen = return_len;
memcpy(out, priv->sym_plain_buffer, return_len);
sc_log(ctx, "C_DecryptFinal %zu bytes", *outlen);
return SC_SUCCESS;
Expand Down

0 comments on commit f1993dc

Please sign in to comment.