From 5a70985d1faea8365b88381fe13c000bd7b75166 Mon Sep 17 00:00:00 2001
From: Dmitry Volyntsev <xeioex@nginx.com>
Date: Wed, 13 Jun 2018 19:38:47 +0300
Subject: [PATCH] Fixed heap-buffer-overflow in crypto.createHmac().

---
 njs/njs_crypto.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/njs/njs_crypto.c b/njs/njs_crypto.c
index 0946fb22..de075708 100644
--- a/njs/njs_crypto.c
+++ b/njs/njs_crypto.c
@@ -417,7 +417,7 @@ njs_crypto_create_hmac(njs_vm_t *vm, njs_value_t *args, nxt_uint_t nargs,
 
     ctx->alg = alg;
 
-    if (key.length > 64) {
+    if (key.length > sizeof(key_buf)) {
         alg->init(&ctx->u);
         alg->update(&ctx->u, key.start, key.length);
         alg->final(digest, &ctx->u);
@@ -426,7 +426,7 @@ njs_crypto_create_hmac(njs_vm_t *vm, njs_value_t *args, nxt_uint_t nargs,
         memset(key_buf + alg->size, 0, sizeof(key_buf) - alg->size);
 
     } else {
-        memcpy(key_buf, key.start, sizeof(key_buf));
+        memcpy(key_buf, key.start, key.length);
         memset(key_buf + key.length, 0, sizeof(key_buf) - key.length);
     }
 
-- 
2.47.3