Fix UB in EvalScript (#1212)

* Do not construct out-of-bound pointers in SHA512/SHA1/RIPEMD160 code * Fix UB resulting from a bad pointer construction in CSHA256::Write. Co-authored-by: Pieter Wuille <pieter.wuille@gmail.com>
firoorg · May 17, 2023 · 3059634 · 3059634
1 parent 9a77fd3
commit 3059634
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 4 deletions.
diff --git a/src/crypto/ripemd160.cpp b/src/crypto/ripemd160.cpp
@@ -256,7 +256,7 @@ CRIPEMD160& CRIPEMD160::Write(const unsigned char* data, size_t len)
         ripemd160::Transform(s, buf);
         bufsize = 0;
     }
-    while (end >= data + 64) {
+    while (end - data >= 64) {
         // Process full chunks directly from the source.
         ripemd160::Transform(s, data);
         bytes += 64;

diff --git a/src/crypto/sha1.cpp b/src/crypto/sha1.cpp
@@ -163,7 +163,7 @@ CSHA1& CSHA1::Write(const unsigned char* data, size_t len)
         sha1::Transform(s, buf);
         bufsize = 0;
     }
-    while (end >= data + 64) {
+    while (end - data >= 64) {
         // Process full chunks directly from the source.
         sha1::Transform(s, data);
         bytes += 64;

diff --git a/src/crypto/sha256.cpp b/src/crypto/sha256.cpp
@@ -150,7 +150,7 @@ CSHA256& CSHA256::Write(const unsigned char* data, size_t len)
         sha256::Transform(s, buf);
         bufsize = 0;
     }
-    while (end >= data + 64) {
+    while (end - data >= 64) {
         // Process full chunks directly from the source.
         sha256::Transform(s, data);
         bytes += 64;

diff --git a/src/crypto/sha512.cpp b/src/crypto/sha512.cpp
@@ -168,7 +168,7 @@ CSHA512& CSHA512::Write(const unsigned char* data, size_t len)
         sha512::Transform(s, buf);
         bufsize = 0;
     }
-    while (end >= data + 128) {
+    while (end - data >= 128) {
         // Process full chunks directly from the source.
         sha512::Transform(s, data);
         data += 128;