From 4b353a0c39d76a4b6a5bbd00c1d3eefd3b6d3f1a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ulrich=20M=C3=BCller?= <ulm@gentoo.org>
Date: Sun, 6 Dec 2015 16:46:32 +0100
Subject: [PATCH] put.c: Avoid out of bounds stack read.

Revert btoe() to the OpenBSD version, in order to avoid reading
beyond array bounds. Thanks to Hanno Boeck.

Bug: 567608
---
 patchsets/skey/1.1.5/01_all_gentoo.patch        | 34 ++++++++++++++-----------
 patchsets/skey/1.1.5/06_all_binary-search.patch |  2 +-
 2 files changed, 20 insertions(+), 16 deletions(-)

diff --git a/patchsets/skey/1.1.5/01_all_gentoo.patch b/patchsets/skey/1.1.5/01_all_gentoo.patch
index 0576ae2..ce3d2e6 100644
--- a/patchsets/skey/1.1.5/01_all_gentoo.patch
+++ b/patchsets/skey/1.1.5/01_all_gentoo.patch
@@ -7,6 +7,10 @@ Updated skeyinfo.c and skey.3 from newer NetBSD version, which is
 under a 2-clause BSD license. Removed some whitespace changes.
 	(05 Jan 2012) -ulm@gentoo.org
 
+Revert btoe() to the OpenBSD version, in order to avoid reading
+beyond array bounds, bug 567608.
+	(05 Dec 2015) -hanno@gentoo.org
+
 --- skey-1.1.5.orig/CHANGES	2001-05-10 17:10:49.000000000 +0100
 +++ skey-1.1.5/CHANGES	2003-11-06 17:46:45.000000000 +0000
 @@ -1,6 +1,19 @@
@@ -1036,7 +1040,7 @@ under a 2-clause BSD license. Removed some whitespace changes.
  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/skeyinfo.1
  	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/skeyinit.1
 --- skey-1.1.5.orig/put.c	2001-05-10 17:10:49.000000000 +0100
-+++ skey-1.1.5/put.c	2003-11-06 17:46:45.000000000 +0000
++++ skey-1.1.5/put.c	2015-12-05 22:25:30.513292266 +0000
 @@ -14,7 +14,7 @@
  #include <stdio.h>
  #include <string.h>
@@ -1059,7 +1063,7 @@ under a 2-clause BSD license. Removed some whitespace changes.
  	"A",
  	"ABE",
  	"ACE",
-@@ -2079,19 +2079,13 @@
+@@ -2079,10 +2079,7 @@
  /* Encode 8 bytes in 'c' as a string of English words.
   * Returns a pointer to a static buffer
   */
@@ -1069,20 +1073,20 @@ under a 2-clause BSD license. Removed some whitespace changes.
 -	char *engout;
 +char *btoe(char *engout, const char *c)
  {
--	char cp[10];	/* add in room for the parity 2 bits + extract() slop */
-+	char cp[9];	/* add in room for the parity 2 bits */
+ 	char cp[10];	/* add in room for the parity 2 bits + extract() slop */
  	int p, i;
- 
+@@ -2090,8 +2087,8 @@
  	engout[0] = '\0';
--
--	/* workaround for extract() reads beyond end of data */
+ 
+ 	/* workaround for extract() reads beyond end of data */
 -	(void)memset(cp, 0, sizeof(cp));
 -	(void)memcpy(cp, c, 8);
++	memset(cp, 0, sizeof(cp));
 +	memcpy(cp, c, 8);
  
  	/* compute parity */
  	for (p = 0, i = 0; i < 64; i += 2)
-@@ -2099,20 +2093,20 @@
+@@ -2099,20 +2096,20 @@
  
  	cp[8] = (char)p << 6;
  
@@ -1115,7 +1119,7 @@ under a 2-clause BSD license. Removed some whitespace changes.
  #endif
  	return(engout);
  }
-@@ -2123,41 +2117,42 @@
+@@ -2123,41 +2120,42 @@
   *        -1 badly formed in put ie > 4 char word
   *        -2 words OK but parity is wrong
   */
@@ -1178,7 +1182,7 @@ under a 2-clause BSD license. Removed some whitespace changes.
  
  		insert(b, v, p, 11);
  	}
-@@ -2167,55 +2162,47 @@
+@@ -2167,55 +2165,47 @@
  		p += extract (b, i, 2);
  
  	if ((p & 3) != extract (b, 64, 2)) 
@@ -1245,7 +1249,7 @@ under a 2-clause BSD license. Removed some whitespace changes.
  {
  	int i, j;
  
-@@ -2223,18 +2210,18 @@
+@@ -2223,18 +2213,18 @@
  		i = (low + high) / 2;
  
  		if ((j = strncmp(w, Wp[i], 4)) == 0)
@@ -1270,7 +1274,7 @@ under a 2-clause BSD license. Removed some whitespace changes.
  		if (j < 0)
  			high = i;	/* Search lower half */
  		else
-@@ -2242,12 +2229,7 @@
+@@ -2242,12 +2232,7 @@
  	}
  }
  
@@ -1284,7 +1288,7 @@ under a 2-clause BSD license. Removed some whitespace changes.
  {
  	unsigned char cl;
  	unsigned char cc;
-@@ -2261,25 +2243,28 @@
+@@ -2261,25 +2246,28 @@
  	assert(start + length <= 66);
  
  	shift = ((8 - ((start + length) % 8)) % 8);
@@ -1320,7 +1324,7 @@ under a 2-clause BSD license. Removed some whitespace changes.
  {
  	while (*word) {
  		if (!isascii(*word))
-@@ -2297,11 +2282,7 @@
+@@ -2297,11 +2285,7 @@
  }
  
  /* Extract 'length' bits from the char array 's' starting with bit 'start' */
@@ -1333,7 +1337,7 @@ under a 2-clause BSD license. Removed some whitespace changes.
  {
  	unsigned char cl;
  	unsigned char cc;
-@@ -2320,5 +2301,5 @@
+@@ -2320,5 +2304,5 @@
  	x = x >> (24 - (length + (start % 8)));
  	x = (x & (0xffff >> (16 - length)));
  
diff --git a/patchsets/skey/1.1.5/06_all_binary-search.patch b/patchsets/skey/1.1.5/06_all_binary-search.patch
index 90e399c..923d41f 100644
--- a/patchsets/skey/1.1.5/06_all_binary-search.patch
+++ b/patchsets/skey/1.1.5/06_all_binary-search.patch
@@ -2,7 +2,7 @@ Fix binary search.
 
 --- skey-1.1.5-orig/put.c
 +++ skey-1.1.5/put.c
-@@ -2206,27 +2206,17 @@
+@@ -2209,27 +2209,17 @@
  {
  	int i, j;
  
-- 
2.6.3