Fix overflow in SHA-3/Keccak

state->rate is always larger than or equal to state->bitsInQueue; when bitsInQueue == rate the queue is consumed and bitsInQueue is set to 0 again. Done-with: Marc Mutz <marc.mutz@qt.io> Pick-to: 6.5.0 6.5 6.4.3 6.4 6.2 5.15 Change-Id: I56d268a19fb3cd542cc027edc962253f09d97a14 Reviewed-by: Marc Mutz <marc.mutz@qt.io> Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
author: Mårten Nordheim <marten.nordheim@qt.io> 2023-03-08 11:10:49 +0100
committer: Marc Mutz <marc.mutz@qt.io> 2023-03-10 14:39:37 +0000
commit: fa4b7495b741c3e7943860c5ff15212afceda710 (patch)
tree: 0ccf1097ab03488c29e80e0563cb259a9dafa948 /src/3rdparty/sha3/KeccakSponge.c
parent: 4f02973e2f447dfc92234ec247d7157ea0e1e807 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/src/3rdparty/sha3/KeccakSponge.c b/src/3rdparty/sha3/KeccakSponge.c
index 6f3da95dbb..337c10ccaf 100644
--- a/src/3rdparty/sha3/KeccakSponge.c
+++ b/src/3rdparty/sha3/KeccakSponge.c
@@ -170,9 +170,10 @@ static int Absorb(spongeState *state, const unsigned char *data, unsigned long l
             i += wholeBlocks*state->rate;
         }
         else {
-            partialBlock = (unsigned int)(databitlen - i);
-            if (partialBlock+state->bitsInQueue > state->rate)
+            if (databitlen-i > state->rate - state->bitsInQueue)
                 partialBlock = state->rate-state->bitsInQueue;
+            else
+                partialBlock = (unsigned int)(databitlen - i);
             partialByte = partialBlock % 8;
             partialBlock -= partialByte;
             memcpy(state->dataQueue+state->bitsInQueue/8, data+i/8, partialBlock/8);
author	Mårten Nordheim <marten.nordheim@qt.io>	2023-03-08 11:10:49 +0100
committer	Marc Mutz <marc.mutz@qt.io>	2023-03-10 14:39:37 +0000
commit	fa4b7495b741c3e7943860c5ff15212afceda710 (patch)
tree	0ccf1097ab03488c29e80e0563cb259a9dafa948 /src/3rdparty/sha3/KeccakSponge.c
parent	4f02973e2f447dfc92234ec247d7157ea0e1e807 (diff)