blob: 07f4a18a2fc3236866fefc940491988b3022b025 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
From eb87af0c2d189c25294c7daf483a47b03af80c2c Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@secure-endpoints.com>
Date: Wed, 17 Nov 2021 20:00:29 -0500
Subject: [PATCH] lib/wind: find_normalize read past end of array
find_normalize() can under some circumstances read one element
beyond the input array. The contents are discarded immediately
without further use.
This change prevents the unintended read.
(cherry picked from commit 357a38fc7fb582ae73f4b7f4a90a4b0b871b149e)
Change-Id: Ia2759a5632d64f7fa6553f879b5bbbf43ba3513e
Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/eb87af0c2d189c25294c7daf483a47b03af80c2c]
CVE: CVE-2022-41916
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
lib/wind/normalize.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/wind/normalize.c b/lib/wind/normalize.c
index 20e8a4a04b..8f3991d10e 100644
--- a/lib/wind/normalize.c
+++ b/lib/wind/normalize.c
@@ -227,9 +227,9 @@ find_composition(const uint32_t *in, unsigned in_len)
unsigned i;
if (n % 5 == 0) {
- cur = *in++;
if (in_len-- == 0)
return c->val;
+ cur = *in++;
}
i = cur >> 16;
|
