The function PKCS_DSASigBSafe2PKCS() in the module
addins\intel\cssmcsp\pkcs_2_0\csp_func.c adjusts the
pointer to a buffer but later assumes the buffer to be
of a fixed length during a later copy opperation. The
end of the source buffer is overrun and a byte of
rubbish is inadvertently added to the end of the
signature and the verify fails.
The dynamic allocation of the work buffer is overkill
A cleaned up version of the function is attached.
Log in to post a comment.