From 6d6cd5daf63b812734343bd020677829b13db2ac Mon Sep 17 00:00:00 2001
From: Fionn Fitzmaurice <1897918+fionn@users.noreply.github.com>
Date: Fri, 3 Jul 2020 07:39:54 +0800
Subject: [PATCH] Avoid buffer overflow in RC4 loop comparison (#336)

The rc4 function iterates over a buffer of size buffer_len who's maximum
value is INT_MAX with a counter of type short that is not guaranteed to
have maximum size INT_MAX.

In circumstances where short is narrower than int and where buffer_len
is larger than the maximum value of a short, it may be possible to loop
infinitely as counter will overflow and never be greater than or equal
to buffer_len.

The solution is to make the comparison be between types of equal width.
This commit defines counter as an int.

Fix By: Fionn Fitzmaurice (@fionn)
---
 ares_query.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ares_query.c b/ares_query.c
index b38b8a6..5bbb2f5 100644
--- a/ares_query.c
+++ b/ares_query.c
@@ -45,7 +45,7 @@ static void rc4(rc4_key* key, unsigned char *buffer_ptr, int buffer_len)
   unsigned char y;
   unsigned char* state;
   unsigned char xorIndex;
-  short counter;
+  int counter;
 
   x = key->x;
   y = key->y;
-- 
1.8.3.1