On Thu, Nov 10, 2011 at 9:38 AM, Ronald S. Bultje <[email protected]> wrote:
> Hi,
>
> On Thu, Nov 3, 2011 at 6:15 PM, Alex Converse <[email protected]> wrote:
>> ---
>> libavutil/aes.c | 9 +++++----
>> 1 files changed, 5 insertions(+), 4 deletions(-)
>>
>> diff --git a/libavutil/aes.c b/libavutil/aes.c
>> index ace317f..07ee405 100644
>> --- a/libavutil/aes.c
>> +++ b/libavutil/aes.c
>> @@ -222,11 +222,9 @@ int av_aes_init(AVAES *a, const uint8_t *key, int
>> key_bits, int decrypt)
>> a->rounds = rounds;
>>
>> memcpy(tk, key, KC * 4);
>> + memcpy(a->round_key[0].u8, key, KC * 4);
>>
>> - for (t = 0; t < (rounds + 1) * 16;) {
>> - memcpy(a->round_key[0].u8 + t, tk, KC * 4);
>> - t += KC * 4;
>> -
>> + for (t = KC * 4; t < (rounds + 1) * 16;) {
>> for (i = 0; i < 4; i++)
>> tk[0][i] ^= sbox[tk[KC - 1][(i + 1) & 3]];
>> tk[0][0] ^= rcon[rconpointer++];
>> @@ -239,6 +237,9 @@ int av_aes_init(AVAES *a, const uint8_t *key, int
>> key_bits, int decrypt)
>> for (i = 0; i < 4; i++)
>> tk[j][i] ^= sbox[tk[j - 1][i]];
>> }
>> +
>> + memcpy(a->round_key[0].u8 + t, tk, KC * 4);
>> + t += KC * 4;
>> }
>>
>> if (decrypt) {
>
> I don't think I understand the patch, how does it prevent the read? Is
> there a break halfway this loop?
>
> It looks OK, assuming output didn't change.
This pseudo code might help:
//before:
for (i = 0; i <= ROUNDS; i++)
copy_key(i);
calculate_key(i+1);
//after:
copy_key(0);
for (i = 1; i <= ROUNDS; i++)
calculate_key(i);
copy_key(i);
The illegal read was in calculate_key(ROUNDS+1)
_______________________________________________
libav-devel mailing list
[email protected]
https://lists.libav.org/mailman/listinfo/libav-devel
