From 30596346da815424c3e26cb0483178a58550490c Mon Sep 17 00:00:00 2001 From: sproxet Date: Tue, 6 Dec 2022 19:48:55 +0700 Subject: [PATCH] Fix UB in EvalScript (#1212) * Do not construct out-of-bound pointers in SHA512/SHA1/RIPEMD160 code * Fix UB resulting from a bad pointer construction in CSHA256::Write. Co-authored-by: Pieter Wuille --- src/crypto/ripemd160.cpp | 2 +- src/crypto/sha1.cpp | 2 +- src/crypto/sha256.cpp | 2 +- src/crypto/sha512.cpp | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/crypto/ripemd160.cpp b/src/crypto/ripemd160.cpp index 77c9acfc26..05534652c4 100644 --- a/src/crypto/ripemd160.cpp +++ b/src/crypto/ripemd160.cpp @@ -256,7 +256,7 @@ CRIPEMD160& CRIPEMD160::Write(const unsigned char* data, size_t len) ripemd160::Transform(s, buf); bufsize = 0; } - while (end >= data + 64) { + while (end - data >= 64) { // Process full chunks directly from the source. ripemd160::Transform(s, data); bytes += 64; diff --git a/src/crypto/sha1.cpp b/src/crypto/sha1.cpp index 0b895b33a2..6dd8caede7 100644 --- a/src/crypto/sha1.cpp +++ b/src/crypto/sha1.cpp @@ -163,7 +163,7 @@ CSHA1& CSHA1::Write(const unsigned char* data, size_t len) sha1::Transform(s, buf); bufsize = 0; } - while (end >= data + 64) { + while (end - data >= 64) { // Process full chunks directly from the source. sha1::Transform(s, data); bytes += 64; diff --git a/src/crypto/sha256.cpp b/src/crypto/sha256.cpp index 5b9f00a0a2..d7d9380bb4 100644 --- a/src/crypto/sha256.cpp +++ b/src/crypto/sha256.cpp @@ -150,7 +150,7 @@ CSHA256& CSHA256::Write(const unsigned char* data, size_t len) sha256::Transform(s, buf); bufsize = 0; } - while (end >= data + 64) { + while (end - data >= 64) { // Process full chunks directly from the source. sha256::Transform(s, data); bytes += 64; diff --git a/src/crypto/sha512.cpp b/src/crypto/sha512.cpp index 564127cc31..5ec945252c 100644 --- a/src/crypto/sha512.cpp +++ b/src/crypto/sha512.cpp @@ -168,7 +168,7 @@ CSHA512& CSHA512::Write(const unsigned char* data, size_t len) sha512::Transform(s, buf); bufsize = 0; } - while (end >= data + 128) { + while (end - data >= 128) { // Process full chunks directly from the source. sha512::Transform(s, data); data += 128;