Fix a buffer overflow on EC point load While loading a new EC point, when it was smaller than the expected number of bytes, a zero padding was being written beyond the end of the buffer instead of at the initial position. While this has been working before, it broke when images were signed using the ring API. Signed-off-by: Fabio Utzig <utzig@apache.org>

commit: 006994b7547e9d69342a027e5b8fb69d632653e9 [log] [tgz]
author: Fabio Utzig <utzig@apache.org> Wed Jan 16 16:33:20 2019 -0800
committer: David Brown <davidb@davidb.org> Fri Jan 18 09:44:48 2019 -0700
tree: d7ad80b981e8d55c1f5452940b4d0c4cfc6df2c0
parent: 90abedc7528e020d4eef49c85917b85293557b75 [diff] [blame]
diff --git a/boot/bootutil/src/image_ec256.c b/boot/bootutil/src/image_ec256.c
index f1b0a0b..dbaea76 100644
--- a/boot/bootutil/src/image_ec256.c
+++ b/boot/bootutil/src/image_ec256.c

@@ -99,10 +99,10 @@
         return -3;
     }
 
-    if (len > NUM_ECC_BYTES) {
+    if (len >= NUM_ECC_BYTES) {
         memcpy(i, *cp + len - NUM_ECC_BYTES, NUM_ECC_BYTES);
     } else {
-        memset(i + NUM_ECC_BYTES, 0, NUM_ECC_BYTES - len);
+        memset(i, 0, NUM_ECC_BYTES - len);
         memcpy(i + NUM_ECC_BYTES - len, *cp, len);
     }
     *cp += len;
commit	006994b7547e9d69342a027e5b8fb69d632653e9	[log] [tgz]
author	Fabio Utzig <utzig@apache.org>	Wed Jan 16 16:33:20 2019 -0800
committer	David Brown <davidb@davidb.org>	Fri Jan 18 09:44:48 2019 -0700
tree	d7ad80b981e8d55c1f5452940b4d0c4cfc6df2c0
parent	90abedc7528e020d4eef49c85917b85293557b75 [diff] [blame]