https://bugzilla.novell.com/show_bug.cgi?id=440853 User dcb314@hotmail.com added comment https://bugzilla.novell.com/show_bug.cgi?id=440853#c1 --- Comment #1 from David Binderman <dcb314@hotmail.com> 2009-03-05 04:56:52 MST --- I just checked version 0.11.6-5.22 and the code is still broken, some four months later. Your advice appreciated on how to best progress this bug report. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=440853 User sbrabec@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=440853#c3 Stanislav Brabec <sbrabec@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P4 - Low Status|NEW |ASSIGNED --- Comment #3 from Stanislav Brabec <sbrabec@novell.com> 2009-03-05 10:24:06 MST --- Cross-reference to the upstream mailing list: http://www.opensc-project.org/pipermail/opensc-devel/2009-March/011915.html And a reply from Andreas Jellinghaus intended for Bugzilla: From: Andreas Jellinghaus Subject: Re: [Bug 440853] opensc-0.11.6-1.29: undefined code Date: Thu, 5 Mar 2009 16:26:40 +0100 hu? I can't post a comment to the bug in bugzilla. maybe the behaviour is undefined, but it does not matter, because neither n or p are used, if "goto error" is executed (and both are local variables). here is the new code that should be ok: n = *p; p++; if (p >= end || p + n > end) goto error; since p is < end before the loop is started, we can read *p into n (variable for length of the tag). and we can increase p to point to the value. now p must be still smaller than end, and the last byte of the value (p+n) also must be end or smaller, so the result should be fine. Regards, Andreas -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.