[rsaenh]: Correction for buffer size detection

Kees Cook kees at outflux.net
Sun May 15 23:56:51 CDT 2005


rsaenh.c accidentally tries to write into the output buffer before
checking the available size.  This patch fixes a crash when you call
CryptDecrypt with a buffer size smaller than needed instead of correctly 
failing with ERROR_MORE_DATA.

ChangeLog:
	avoid segfault when detecting decryption buffer size.

-- 
Kees Cook                                            @outflux.net
-------------- next part --------------
Index: dlls/rsaenh/rsaenh.c
===================================================================
RCS file: /home/wine/wine/dlls/rsaenh/rsaenh.c,v
retrieving revision 1.26
diff -u -p -4 -r1.26 rsaenh.c
--- dlls/rsaenh/rsaenh.c	18 Apr 2005 15:36:21 -0000	1.26
+++ dlls/rsaenh/rsaenh.c	16 May 2005 04:54:27 -0000
@@ -1833,16 +1833,16 @@ BOOL WINAPI RSAENH_CPEncrypt(HCRYPTPROV 
             return FALSE;
         }
 
         dwEncryptedLen = (*pdwDataLen/pCryptKey->dwBlockLen+(Final?1:0))*pCryptKey->dwBlockLen;
-        for (i=*pdwDataLen; i<dwEncryptedLen; i++) pbData[i] = dwEncryptedLen - *pdwDataLen;
         *pdwDataLen = dwEncryptedLen; 
 
         if (*pdwDataLen > dwBufLen) 
         {
             SetLastError(ERROR_MORE_DATA);
             return FALSE;
         }
+        for (i=*pdwDataLen; i<dwEncryptedLen; i++) pbData[i] = dwEncryptedLen - *pdwDataLen;
     
         for (i=0, in=pbData; i<*pdwDataLen; i+=pCryptKey->dwBlockLen, in+=pCryptKey->dwBlockLen) {
             switch (pCryptKey->dwMode) {
                 case CRYPT_MODE_ECB:


More information about the wine-patches mailing list