Check invalid nc_off Uninitialized nc_off value >0xf passed by the caller can cause array out-of-bound.

commit: 3f7f8170d6ba71da9a9f624ef9da6c9edeb64b50 [log] [tgz]
author: Mohammad Azim Khan <Azim.Khan@arm.com> Thu Nov 23 17:49:05 2017 +0000
committer: Azim Khan <Azim.Khan@arm.com> Tue Apr 17 23:18:40 2018 +0100
tree: c96fadc22f4104b1bf731a739fad8c20d037718a
parent: 4ca9a457561fc774ca54898a72754bf53d60dba2 [diff]
diff --git a/include/mbedtls/aes.h b/include/mbedtls/aes.h
index 46016dc..d252930 100644
--- a/include/mbedtls/aes.h
+++ b/include/mbedtls/aes.h

@@ -49,6 +49,7 @@
 /* Error codes in range 0x0020-0x0022 */
 #define MBEDTLS_ERR_AES_INVALID_KEY_LENGTH                -0x0020  /**< Invalid key length. */
 #define MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH              -0x0022  /**< Invalid data input length. */
+#define MBEDTLS_ERR_AES_BAD_INPUT_DATA                    -0x0024  /**< Invalid input data. */
 
 /* Error codes in range 0x0023-0x0025 */
 #define MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE               -0x0023  /**< Feature not available. For example, an unsupported AES key size. */

diff --git a/library/aes.c b/library/aes.c
index da94b19..3bb8515 100644
--- a/library/aes.c
+++ b/library/aes.c

@@ -1082,6 +1082,9 @@
     int c, i;
     size_t n = *nc_off;
 
+    if ( n > 0x0F )
+        return( MBEDTLS_ERR_AES_BAD_INPUT_DATA );
+
     while( length-- )
     {
         if( n == 0 ) {
commit	3f7f8170d6ba71da9a9f624ef9da6c9edeb64b50	[log] [tgz]
author	Mohammad Azim Khan <Azim.Khan@arm.com>	Thu Nov 23 17:49:05 2017 +0000
committer	Azim Khan <Azim.Khan@arm.com>	Tue Apr 17 23:18:40 2018 +0100
tree	c96fadc22f4104b1bf731a739fad8c20d037718a
parent	4ca9a457561fc774ca54898a72754bf53d60dba2 [diff]