Skip to content

Commit

Permalink
#111: bugfix: fix out-of-bounds read in inline asm encoders
Browse files Browse the repository at this point in the history
Fix an out-of-bounds read in the inline assembly encoder
implementations.

Rounds are 12 bytes in size, but reads are done in blocks of 16 bytes.
To ensure that there is always enough space to read those 16 bytes, we
need to "reserve" four bytes of input by subtracting those bytes from
the input buffer.

Resolves #111.
aklomp committed Oct 24, 2022
1 parent 5e5f63f commit ac15157
Showing 2 changed files with 8 additions and 4 deletions.
6 changes: 4 additions & 2 deletions lib/arch/avx/enc_loop_asm.c
Original file line number Diff line number Diff line change
@@ -129,8 +129,10 @@ enc_loop_avx (const uint8_t **s, size_t *slen, uint8_t **o, size_t *olen)
return;
}

// Process blocks of 12 bytes at a time.
size_t rounds = *slen / 12;
// Process blocks of 12 bytes at a time. Input is read in blocks of 16
// bytes, so "reserve" four bytes from the input buffer to ensure that
// we never read beyond the end of the input buffer.
size_t rounds = (*slen - 4) / 12;

*slen -= rounds * 12; // 12 bytes consumed per round
*olen += rounds * 16; // 16 bytes produced per round
6 changes: 4 additions & 2 deletions lib/arch/ssse3/enc_loop_asm.c
Original file line number Diff line number Diff line change
@@ -133,8 +133,10 @@ enc_loop_ssse3 (const uint8_t **s, size_t *slen, uint8_t **o, size_t *olen)
return;
}

// Process blocks of 12 bytes at a time.
size_t rounds = *slen / 12;
// Process blocks of 12 bytes at a time. Input is read in blocks of 16
// bytes, so "reserve" four bytes from the input buffer to ensure that
// we never read beyond the end of the input buffer.
size_t rounds = (*slen - 4) / 12;

*slen -= rounds * 12; // 12 bytes consumed per round
*olen += rounds * 16; // 16 bytes produced per round

0 comments on commit ac15157

Please sign in to comment.