fix a buffer corruption

9 years ago · 12ff6c8f2f
1 changed files with 9 additions and 5 deletions
--- a/src/encrypt.c
+++ b/src/encrypt.c
@ -1265,11 +1265,15 @@ char * ss_decrypt_all(int buf_size, char *ciphertext, ssize_t *len, int method,
        }

        if (auth || (plaintext[0] & ONETIMEAUTH_FLAG)) {
-            char hash[ONETIMEAUTH_BYTES];
-            memcpy(hash, plaintext + p_len - ONETIMEAUTH_BYTES, ONETIMEAUTH_BYTES);
-            ret = !ss_onetimeauth_verify(hash, plaintext, p_len - ONETIMEAUTH_BYTES, iv);
-            if (ret) {
-                p_len -= ONETIMEAUTH_BYTES;
+            if (p_len > ONETIMEAUTH_BYTES) {
+                char hash[ONETIMEAUTH_BYTES];
+                memcpy(hash, plaintext + p_len - ONETIMEAUTH_BYTES, ONETIMEAUTH_BYTES);
+                ret = !ss_onetimeauth_verify(hash, plaintext, p_len - ONETIMEAUTH_BYTES, iv);
+                if (ret) {
+                    p_len -= ONETIMEAUTH_BYTES;
+                }
+            } else {
+                ret = 0;
            }
        }