Hi, On Thu, Nov 10, 2011 at 9:58 AM, Alex Converse <[email protected]> wrote: > On Thu, Nov 10, 2011 at 9:38 AM, Ronald S. Bultje <[email protected]> wrote: >> Hi, >> >> On Thu, Nov 3, 2011 at 6:15 PM, Alex Converse <[email protected]> >> wrote: >>> --- >>> libavutil/aes.c | 9 +++++---- >>> 1 files changed, 5 insertions(+), 4 deletions(-) >>> >>> diff --git a/libavutil/aes.c b/libavutil/aes.c >>> index ace317f..07ee405 100644 >>> --- a/libavutil/aes.c >>> +++ b/libavutil/aes.c >>> @@ -222,11 +222,9 @@ int av_aes_init(AVAES *a, const uint8_t *key, int >>> key_bits, int decrypt) >>> a->rounds = rounds; >>> >>> memcpy(tk, key, KC * 4); >>> + memcpy(a->round_key[0].u8, key, KC * 4); >>> >>> - for (t = 0; t < (rounds + 1) * 16;) { >>> - memcpy(a->round_key[0].u8 + t, tk, KC * 4); >>> - t += KC * 4; >>> - >>> + for (t = KC * 4; t < (rounds + 1) * 16;) { >>> for (i = 0; i < 4; i++) >>> tk[0][i] ^= sbox[tk[KC - 1][(i + 1) & 3]]; >>> tk[0][0] ^= rcon[rconpointer++]; >>> @@ -239,6 +237,9 @@ int av_aes_init(AVAES *a, const uint8_t *key, int >>> key_bits, int decrypt) >>> for (i = 0; i < 4; i++) >>> tk[j][i] ^= sbox[tk[j - 1][i]]; >>> } >>> + >>> + memcpy(a->round_key[0].u8 + t, tk, KC * 4); >>> + t += KC * 4; >>> } >>> >>> if (decrypt) { >> >> I don't think I understand the patch, how does it prevent the read? Is >> there a break halfway this loop? >> >> It looks OK, assuming output didn't change. > > This pseudo code might help: > > //before: > for (i = 0; i <= ROUNDS; i++) > copy_key(i); > calculate_key(i+1); > > //after: > copy_key(0); > for (i = 1; i <= ROUNDS; i++) > calculate_key(i); > copy_key(i); > > The illegal read was in calculate_key(ROUNDS+1)
That makes more sense then. Thanks, patch OK. Ronald _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
