[PATCH 1/1] sbc: Fix stack overflow read in sbc_crc8.

[PATCH 1/1] sbc: Fix stack overflow read in sbc_crc8.

[Joshua Kessinger]

When encoding or decoding with JOINT_STEREO and 8 subbands the crc_pos is 88
bits. In this case there are no extra bits which need to be added to the CRC,
but there is still a read 1 byte past the end of the crc_header stack variable.

Signed-off-by: Joshua Kessinger <jkessinger@google.com>
---
 sbc/sbc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sbc/sbc.c b/sbc/sbc.c
index 606f11c..7f1efaa 100644
--- a/sbc/sbc.c
+++ b/sbc/sbc.c
@@ -190,7 +190,7 @@ static uint8_t sbc_crc8(const uint8_t *data, size_t len)
 	for (i = 0; i < len / 8; i++)
 		crc = crc_table[crc ^ data[i]];
 
-	octet = data[i];
+	octet = len % 8 ? data[i] : 0;
 	for (i = 0; i < len % 8; i++) {
 		char bit = ((octet ^ crc) & 0x80) >> 7;
 
-- 
2.16.1.291.g4437f3f132-goog

Re: [PATCH 1/1] sbc: Fix stack overflow read in sbc_crc8.

[Luiz Augusto von Dentz]

Hi Joshua,

On Wed, Feb 21, 2018 at 9:28 PM, Joshua Kessinger <jkessinger@google.com> wrote:
> When encoding or decoding with JOINT_STEREO and 8 subbands the crc_pos is 88
> bits. In this case there are no extra bits which need to be added to the CRC,
> but there is still a read 1 byte past the end of the crc_header stack variable.
>
> Signed-off-by: Joshua Kessinger <jkessinger@google.com>
> ---
>  sbc/sbc.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/sbc/sbc.c b/sbc/sbc.c
> index 606f11c..7f1efaa 100644
> --- a/sbc/sbc.c
> +++ b/sbc/sbc.c
> @@ -190,7 +190,7 @@ static uint8_t sbc_crc8(const uint8_t *data, size_t len)
>         for (i = 0; i < len / 8; i++)
>                 crc = crc_table[crc ^ data[i]];
>
> -       octet = data[i];
> +       octet = len % 8 ? data[i] : 0;
>         for (i = 0; i < len % 8; i++) {
>                 char bit = ((octet ^ crc) & 0x80) >> 7;
>
> --

Looks like we forgot about this one, it is now applied after removing
the signed-off-by line.

-- 
Luiz Augusto von Dentz