From 0cdc0479b8df27c4de09422928a0906df3780564 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Mon, 16 May 2005 09:15:24 +0000 Subject: [PATCH] Avoid segfault in hash update with corrupted decrypt data. --- dlls/rsaenh/rsaenh.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/dlls/rsaenh/rsaenh.c b/dlls/rsaenh/rsaenh.c index 7cf17d96086..5b67ff78c40 100644 --- a/dlls/rsaenh/rsaenh.c +++ b/dlls/rsaenh/rsaenh.c @@ -1929,6 +1929,7 @@ BOOL WINAPI RSAENH_CPDecrypt(HCRYPTPROV hProv, HCRYPTKEY hKey, HCRYPTHASH hHash, CRYPTKEY *pCryptKey; BYTE *in, out[RSAENH_MAX_BLOCK_SIZE], o[RSAENH_MAX_BLOCK_SIZE]; DWORD i, j, k; + DWORD dwMax; TRACE("(hProv=%08lx, hKey=%08lx, hHash=%08lx, Final=%d, dwFlags=%08lx, pbData=%p, " "pdwDataLen=%p)\n", hProv, hKey, hHash, Final, dwFlags, pbData, pdwDataLen); @@ -1959,7 +1960,9 @@ BOOL WINAPI RSAENH_CPDecrypt(HCRYPTPROV hProv, HCRYPTKEY hKey, HCRYPTHASH hHash, SetLastError(NTE_BAD_DATA); return FALSE; } - + + dwMax=*pdwDataLen; + if (GET_ALG_TYPE(pCryptKey->aiAlgid) == ALG_TYPE_BLOCK) { for (i=0, in=pbData; i<*pdwDataLen; i+=pCryptKey->dwBlockLen, in+=pCryptKey->dwBlockLen) { switch (pCryptKey->dwMode) { @@ -2012,7 +2015,8 @@ BOOL WINAPI RSAENH_CPDecrypt(HCRYPTPROV hProv, HCRYPTKEY hKey, HCRYPTHASH hHash, if (Final) setup_key(pCryptKey); if (is_valid_handle(&handle_table, hHash, RSAENH_MAGIC_HASH)) { - if (!RSAENH_CPHashData(hProv, hHash, pbData, *pdwDataLen, 0)) return FALSE; + if (*pdwDataLen>dwMax || + !RSAENH_CPHashData(hProv, hHash, pbData, *pdwDataLen, 0)) return FALSE; } return TRUE;