From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 14 Feb 2012 22:14:54 +0000 (+0000)
Subject: Fix void pointer arithmetic in ASN.1 decoder
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=0c2e33717131f6beb43efd6e655e2cd7d8ce2dd5;p=krb5.git

Fix void pointer arithmetic in ASN.1 decoder

An expression in decode_sequence_of was incorrectly parenthesized,
resulting in addition to a void pointer.  Also avoid repeating the
expression.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25701 dc483132-0cff-0310-8789-dd5450dbe970
---

diff --git a/src/lib/krb5/asn.1/asn1_encode.c b/src/lib/krb5/asn.1/asn1_encode.c
index b37ce7fb4..51fd8eeab 100644
--- a/src/lib/krb5/asn.1/asn1_encode.c
+++ b/src/lib/krb5/asn.1/asn1_encode.c
@@ -1529,7 +1529,7 @@ decode_sequence_of(const unsigned char *asn1, size_t len,
                    size_t *count_out)
 {
     asn1_error_code ret;
-    void *seq = NULL, *newseq;
+    void *seq = NULL, *elem, *newseq;
     const unsigned char *contents;
     size_t clen, count = 0;
     taginfo t;
@@ -1550,9 +1550,9 @@ decode_sequence_of(const unsigned char *asn1, size_t len,
             goto error;
         }
         seq = newseq;
-        memset((char *)(seq + count * elemtype->size), 0, elemtype->size);
-        ret = decode_atype(&t, contents, clen, elemtype,
-                           (char *)(seq + count * elemtype->size));
+        elem = (char *)seq + count * elemtype->size;
+        memset(elem, 0, elemtype->size);
+        ret = decode_atype(&t, contents, clen, elemtype, elem);
         if (ret)
             goto error;
         count++;