I was looking at the arc4_getbyte() utility function the other day and I noticed something that struck me as dangerous.
1 uchar
2 arc4_getbyte( void )
3 {
4 uchar si, sj;
5
6 rs.i++;
7 si = rs.s[rs.i];
8 rs.j += si;
9 sj = rs.s[rs.j];
10 rs.s[rs.i] = sj;
11 rs.s[rs.j] = si;
12 return rs.s[(si + sj) & 0xff];
13 }
rs.i and rs.j are used as array indexes into an array of length 256.
But in line 6 and 8, these indexes are incremented without bound. I
realize they are uchar which means 8 bits and maybe this works fine in
gcc, but shouldn't these lines be:
6 rs.i++ & 0xff;
and
8 rs.j += si & 0xff;
Or maybe even use % 255 instead of a bitmask. I did not test this which is why
this isn't a patch.
Michael Grant
signature.asc
Description: PGP signature
_______________________________________________ isync-devel mailing list isync-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/isync-devel
