Open
Description
The ArmXorEncoder does the following:
adr r8, payload
mov r4, #%(length)s
adr r6, xor_cacheflush
loop:
cmp r4, #%(maximum)s
bxhi r6
sub r4, r4, #%(length)s
ldrb r5, [r8, r4]
eor r5, r5, #%(key)s
strb r5, [r8, r4]
add r4, r4, #%(length)s + 1
b loop
Note that the size check is before the index is grabbed via the sub. This results in the maximum being checked against the length plus index rather than index. I think this could be fixed by moving the sub instruction to before the cmp in loop. The current implementation would only xor the first 64 bytes of a 192 byte payload as maximum is set to 256. Might be able to make that larger given that the ARM32 would allow 12 bit immediates for the add/sub, but could have other issues due at that point as this loop always goes to max currently (technically, currently it's incorrectly going to maximum - length)