core: Fix array overrunning during FIPS keys generation

p is 20 and r is 1 in the last iteration of fips_expand_key_bits,
which means that buf[21] is read (of BYTE buf[21];). However,
the value is not needed, because it is consequently discarded by
"c & 0xfe" statement. Let's do not read buf[p + 1] when r is 1
to avoid this.

diff --git a/libfreerdp/core/security.c b/libfreerdp/core/security.c
index be03311..a6d8bd3 100644 (file)
--- a/libfreerdp/core/security.c
+++ b/libfreerdp/core/security.c
@@ -524,9 +524,9 @@ static void fips_expand_key_bits(BYTE* in, BYTE* out)
                p = b / 8;
                r = b % 8;
 
-               if (r == 0)
+               if (r <= 1)
                {
-                       out[i] = buf[p] & 0xfe;
+                       out[i] = (buf[p] << r) & 0xfe;
                }
                else
                {