Avoid buffer underflow in evp_test.

The second loop in the remove_space function doesn't check for walking
back off of the start of the string while setting white space to 0.

This fix exits this loop once the pointer is before the (updated) beginning
of the string.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2752)

diff --git a/test/evp_test.c b/test/evp_test.c
index 494a46b3183d475eb914d4e3db6b82fcfe284d3e..d924e3f6fcb801521fadd20ddf4271e5fa200a79 100644 (file)
--- a/test/evp_test.c
+++ b/test/evp_test.c
@@ -23,17 +23,17 @@
 
 static void remove_space(char **pval)
 {
 
 static void remove_space(char **pval)
 {

-    unsigned char *p = (unsigned char *)*pval;
+    unsigned char *p = (unsigned char *)*pval, *beginning;

 
     while (isspace(*p))
         p++;
 
 
     while (isspace(*p))
         p++;
 

-    *pval = (char *)p;
+    *pval = (char *)(beginning = p);

 
     p = p + strlen(*pval) - 1;
 
     /* Remove trailing space */
 
     p = p + strlen(*pval) - 1;
 
     /* Remove trailing space */

-    while (isspace(*p))
+    while (p >= beginning && isspace(*p))

         *p-- = 0;
 }
 
         *p-- = 0;
 }