From 79502e2c1982047dcf2b776f52826f38bbd9b1fe Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Mon, 5 Nov 2012 19:01:01 +0100
Subject: Avoid dereferencing pointer right after the end

* mpi/mpicoder.c (do_get_buffer): Check the length before derefing P.
--

Christian Grothoff found this bug using Valgrind.
---
 mpi/mpicoder.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'mpi/mpicoder.c')

diff --git a/mpi/mpicoder.c b/mpi/mpicoder.c
index f499796d..a3435ed1 100644
--- a/mpi/mpicoder.c
+++ b/mpi/mpicoder.c
@@ -270,7 +270,7 @@ do_get_buffer (gcry_mpi_t a, unsigned int *nbytes, int *sign, int force_secure)
 
   /* This is sub-optimal but we need to do the shift operation because
      the caller has to free the returned buffer.  */
-  for (p=buffer; !*p && *nbytes; p++, --*nbytes)
+  for (p=buffer; *nbytes && !*p; p++, --*nbytes)
     ;
   if (p != buffer)
     memmove (buffer,p, *nbytes);
-- 
cgit v1.2.1