Am 17.02.2016 um 19:51 schrieb Salz, Rich: > >> *header = c; >> + header++; > > Header isn't used after that assignment. How does this line change anything?
The call to load_iv() that occurs next, has as its first argument header_pp which is a pointer to header: char **header_pp = &header; Inside load_iv() this pointer is named fromp and is immediately being dereferenced: from = *fromp; so "from" is an alias to "header", it contains the same address as "header". When being dereferenced, "from" will return the same char, that "header" points to. Now in load_iv() "from" is used to iterate over the IV hex chars: for (i = 0; i < num; i++) { if ((*from >= '0') && (*from <= '9')) v = *from - '0'; else if ((*from >= 'A') && (*from <= 'F')) v = *from - 'A' + 10; else if ((*from >= 'a') && (*from <= 'f')) v = *from - 'a' + 10; else { PEMerr(PEM_F_LOAD_IV, PEM_R_BAD_IV_CHARS); return (0); } from++; to[i / 2] |= v << (long)((!(i & 1)) * 4); } Since *from == *header == ',' at the beginning of the loop, this bombs. "header" needs to be incremented to actually point to the beginning of the IV. I hope this is understandable. It took me a moment as well to understand, how "from" in load_iv() relates to "header" in PEM_get_EVP_CIPHER_INFO(). I checked the patch with the reproduction case before posting and also added some debug logging to the "from" loop to double check. Regards, Rainer -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4320 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev