https://bugzilla.novell.com/show_bug.cgi?id=440853 User sbrabec@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=440853#c2 Stanislav Brabec <sbrabec@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |aj@dungeon.inka.de --- Comment #2 from Stanislav Brabec <sbrabec@novell.com> 2009-03-05 05:44:41 MST --- This may be a fix: --- src/pkcs15init/pkcs15-lib.c +++ src/pkcs15init/pkcs15-lib.c @@ -3723,9 +3723,10 @@ while (p < end && (tag = *p++) != 0 && tag != 0xFF) { int r = 0; - if (p >= end || p + (n = *p++) > end) + if (p >= end || p + (n = *p) > end) goto error; + p++; switch (tag) { case OPENSC_INFO_TAG_PROFILE: r = set_info_string(&profile->name, p, n); (This is not exact expansion, but in case of error p value is forgotten anyway.) Or expand the expression to a non-cryptic form: n = *p; if (p >= end || p + n > end) goto error; p++; (Again not exact expansion.) The expression two lines above look cryptic as well, but probably correct and defined behavior: p < end && (tag = *p++) != 0 && tag != 0xFF "(tag = *p++) != 0" should be executed after "p < end" and it can be understand as: tag = *p; p++; (tag != 0) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.