blob: 0f0cf41bb6e0522bc7b05bf9bf8316a01f8ac654 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
Port changes to the extract() function from the skey patchset,
fixing an out-of-bounds read.
Fix signedness of first function argument.
--- otpCalc-0.97-orig/utility.c
+++ otpCalc-0.97/utility.c
@@ -28,21 +28,21 @@
#include "utility.h"
-static unsigned short extract(char *s, int start, int length)
+static unsigned short extract(unsigned char *s, int start, int length)
{
- unsigned char cl;
- unsigned char cc;
- unsigned char cr;
unsigned int x;
+ int end, i;
- cl = s[start / 8];
- cc = s[start / 8 + 1];
- cr = s[start / 8 + 2];
- x = ((int) (cl << 8 | cc) << 8 | cr);
- x = x >> (24 - (length + (start % 8)));
- x = (x & (0xffff >> (16 - length)));
+ end = start + length - 1;
+ x = 0;
+ for (i = start / 8; i <= end / 8; i++) {
+ x <<= 8;
+ x |= s[i];
+ }
+ x >>= 7 - end % 8;
+ x &= (1 << length) - 1;
return (unsigned short)x;
|