From 6432c7e78257c85637e8c41d4008ba18ddccca0d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg2@elzevir.fr>
Date: Mon, 31 Aug 2015 11:30:07 +0200
Subject: [PATCH] Fix memory corruption in rsa sign/verify programs

backport from d74c697

see #210
---
 ChangeLog                  |  1 +
 programs/pkey/rsa_sign.c   | 11 ++++++-----
 programs/pkey/rsa_verify.c | 11 +++++------
 3 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index b22fdde8a..5d505b502 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -11,6 +11,7 @@ Bugfix
    * Fix -Wshadow warnings (found by hnrkp) (#240)
    * Fix unused function warning when using MBEDTLS_MDx_ALT or
      MBEDTLS_SHAxxx_ALT (found by Henrik) (#239)
+   * Fix memory corruption in pkey programs (found by yankuncheng) (#210)
 
 = mbed TLS 1.3.12 released 2015-08-11
 
diff --git a/programs/pkey/rsa_sign.c b/programs/pkey/rsa_sign.c
index d9a9a6e51..63ef822ea 100644
--- a/programs/pkey/rsa_sign.c
+++ b/programs/pkey/rsa_sign.c
@@ -60,6 +60,7 @@ int main( int argc, char *argv[] )
     rsa_context rsa;
     unsigned char hash[20];
     unsigned char buf[POLARSSL_MPI_MAX_SIZE];
+    char filename[512];
 
     ret = 1;
 
@@ -133,14 +134,14 @@ int main( int argc, char *argv[] )
     }
 
     /*
-     * Write the signature into <filename>-sig.txt
+     * Write the signature into <filename>.sig
      */
-    memcpy( argv[1] + strlen( argv[1] ), ".sig", 5 );
+    snprintf( filename, sizeof( filename ), "%s.sig", argv[1] );
 
-    if( ( f = fopen( argv[1], "wb+" ) ) == NULL )
+    if( ( f = fopen( filename, "wb+" ) ) == NULL )
     {
         ret = 1;
-        polarssl_printf( " failed\n  ! Could not create %s\n\n", argv[1] );
+        polarssl_printf( " failed\n  ! Could not create %s\n\n", filename );
         goto exit;
     }
 
@@ -150,7 +151,7 @@ int main( int argc, char *argv[] )
 
     fclose( f );
 
-    polarssl_printf( "\n  . Done (created \"%s\")\n\n", argv[1] );
+    polarssl_printf( "\n  . Done (created \"%s\")\n\n", filename );
 
 exit:
 
diff --git a/programs/pkey/rsa_verify.c b/programs/pkey/rsa_verify.c
index 374a5f1e2..022ef337c 100644
--- a/programs/pkey/rsa_verify.c
+++ b/programs/pkey/rsa_verify.c
@@ -59,6 +59,7 @@ int main( int argc, char *argv[] )
     rsa_context rsa;
     unsigned char hash[20];
     unsigned char buf[POLARSSL_MPI_MAX_SIZE];
+    char filename[512];
 
     ret = 1;
     if( argc != 2 )
@@ -99,17 +100,15 @@ int main( int argc, char *argv[] )
      * Extract the RSA signature from the text file
      */
     ret = 1;
-    i = strlen( argv[1] );
-    memcpy( argv[1] + i, ".sig", 5 );
+    snprintf( filename, sizeof( filename ), "%s.sig", argv[1] );
 
-    if( ( f = fopen( argv[1], "rb" ) ) == NULL )
+    if( ( f = fopen( filename, "rb" ) ) == NULL )
     {
-        polarssl_printf( "\n  ! Could not open %s\n\n", argv[1] );
+        polarssl_printf( "\n  ! Could not open %s\n\n", filename );
         goto exit;
     }
 
-    argv[1][i] = '\0', i = 0;
-
+    i = 0;
     while( fscanf( f, "%02X", &c ) > 0 &&
            i < (int) sizeof( buf ) )
         buf[i++] = (unsigned char) c;