lib/39389: crypt(3) has a little buffer overrun

[usa%garbagecollect.jp@localhost]

>Number:         39389
>Category:       lib
>Synopsis:       crypt(3) has a little buffer overrun
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Aug 21 12:10:01 +0000 2008
>Originator:     NAKAMURA Usaku
>Release:        NetBSD 4.99.46/i386
>Organization:
>Environment:
NetBSD zanzibar.garbagecollect.jp 4.99.46 NetBSD 4.99.46 (ZANZIBAR3) #0: Sun 
Dec 30 20:58:11 JST 2007  
root%zanzibar.garbagecollect.jp@localhost:/usr/src/sys/arch/i386/compile/ZANZIBAR3
 i386

>Description:
When passing the second argument with characters which are out of the range of 
'\0'-'\x7F' to crypt(3), it will access the inner table named a64toi[] beyond 
its boundary.

But, in such case, it doesn't causes serious problems because there are another 
large tables after a64toi[].
So this is non-critical, but only small worry to me.

>How-To-Repeat:
#include <unistd.h>
main()
{
        crypt("", "\xff\xff");
}

>Fix:
Index: crypt.c
===================================================================
RCS file: /cvs/cvsroot/src/lib/libcrypt/crypt.c,v
retrieving revision 1.26
diff -u -1 -p -r1.26 crypt.c
--- crypt.c     17 Jan 2007 23:24:22 -0000      1.26
+++ crypt.c     21 Aug 2008 12:02:43 -0000
@@ -540,3 +540,4 @@ crypt(key, setting)
                        encp[i] = t;
-                       num_iter = (num_iter<<6) | a64toi[t];
+                       num_iter = (num_iter<<6) |
+                               a64toi[(unsigned)t < sizeof(a64toi) ? t : 0];
                }
@@ -556,3 +557,3 @@ crypt(key, setting)
                encp[i] = t;
-               salt = (salt<<6) | a64toi[t];
+               salt = (salt<<6) | a64toi[(unsigned)t < sizeof(a64toi) ? t : 0];
        }