From d02b460727f8252825c29e93fb93c67b29f30a62 Mon Sep 17 00:00:00 2001
From: vlm <vlm@59561ff5-6e30-0410-9f3c-9617f08c8826>
Date: Thu, 20 Nov 2008 05:15:11 +0000
Subject: memory OOB issue on Windows and with non-standard allocators; by
 Sheng Yu

git-svn-id: https://asn1c.svn.sourceforge.net/svnroot/asn1c/trunk@1407 59561ff5-6e30-0410-9f3c-9617f08c8826
---
 ChangeLog           | 5 ++++-
 skeletons/INTEGER.c | 4 ++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index d5739e3d..4e8a038d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,5 @@
 
-0.9.22:	2007-Jun-29
+0.9.22:	2008-Nov-19
 
 	* Added -pdu=all and -pdu=<type> switches to asn1c.
 	* Added PER support for most known-multiplier string types:
@@ -18,6 +18,9 @@
 	* Added DEFAULT handling for known multiplier string.
 	* Added a sample OMA ULP decoder (./examples/sample.source.ULP).
 	* Added full-width 32-bit integer encoding support in PER.
+	* Fixed 1-byte OOB write issue with non-standard and Windows
+	  memory allocators (Severity: low; Security impact: medium).
+	  Reported by Sheng Yu.
 
 0.9.21:	2006-Sep-17
 
diff --git a/skeletons/INTEGER.c b/skeletons/INTEGER.c
index 54a402b3..f016131a 100644
--- a/skeletons/INTEGER.c
+++ b/skeletons/INTEGER.c
@@ -868,8 +868,8 @@ asn_ulong2INTEGER(INTEGER_t *st, unsigned long value) {
 
 	end = buf + (sizeof(value) + 1);
 	buf[0] = 0;
-	for(b = buf, shr = (sizeof(long)-1)*8; b < end; shr -= 8)
-		*(++b) = (uint8_t)(value >> shr);
+	for(b = buf + 1, shr = (sizeof(long)-1)*8; b < end; shr -= 8, b++)
+		*b = (uint8_t)(value >> shr);
 
 	if(st->buf) FREEMEM(st->buf);
 	st->buf = buf;
-- 
cgit v1.2.3