From c01c065b9ded3399a6a480f15543827dd5e8eb4d Mon Sep 17 00:00:00 2001
From: Pieter Wuille <pieter.wuille@gmail.com>
Date: Fri, 3 May 2019 16:08:11 -0700
Subject: Do not construct out-of-bound pointers in SHA512/SHA1/RIPEMD160 code

---
 src/crypto/ripemd160.cpp | 2 +-
 src/crypto/sha1.cpp      | 2 +-
 src/crypto/sha512.cpp    | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

(limited to 'src/crypto')

diff --git a/src/crypto/ripemd160.cpp b/src/crypto/ripemd160.cpp
index a00331dcb7..edee06cc34 100644
--- a/src/crypto/ripemd160.cpp
+++ b/src/crypto/ripemd160.cpp
@@ -256,7 +256,7 @@ CRIPEMD160& CRIPEMD160::Write(const unsigned char* data, size_t len)
         ripemd160::Transform(s, buf);
         bufsize = 0;
     }
-    while (end >= data + 64) {
+    while (end - data >= 64) {
         // Process full chunks directly from the source.
         ripemd160::Transform(s, data);
         bytes += 64;
diff --git a/src/crypto/sha1.cpp b/src/crypto/sha1.cpp
index 5c601c54a6..3dcdcb186e 100644
--- a/src/crypto/sha1.cpp
+++ b/src/crypto/sha1.cpp
@@ -163,7 +163,7 @@ CSHA1& CSHA1::Write(const unsigned char* data, size_t len)
         sha1::Transform(s, buf);
         bufsize = 0;
     }
-    while (end >= data + 64) {
+    while (end - data >= 64) {
         // Process full chunks directly from the source.
         sha1::Transform(s, data);
         bytes += 64;
diff --git a/src/crypto/sha512.cpp b/src/crypto/sha512.cpp
index bc64135cae..4e6aa363f7 100644
--- a/src/crypto/sha512.cpp
+++ b/src/crypto/sha512.cpp
@@ -168,7 +168,7 @@ CSHA512& CSHA512::Write(const unsigned char* data, size_t len)
         sha512::Transform(s, buf);
         bufsize = 0;
     }
-    while (end >= data + 128) {
+    while (end - data >= 128) {
         // Process full chunks directly from the source.
         sha512::Transform(s, data);
         data += 128;
-- 
cgit v1.2.3