Cast Td4[] values (which are uint8_t) to uint32_t before shifting them left by

24 bits; if we don't, Td4[] gets cast to signed int, and according to C>=99
6.5.7, signed int shifted by enough bits to cause a the sign bit to be set
is an UB.

Reported by Pascal Cuoq on behalf of the trust-in-soft.com mafia I am
{partial,slightly related} to.

1 files changed, 5 insertions, 5 deletions

diff --git a/lib/libssl/src/crypto/aes/aes_core.c b/lib/libssl/src/crypto/aes/aes_core.c
index 93c32b919b3..1b8a24c714d 100644
--- a/lib/libssl/src/crypto/aes/aes_core.c
+++ b/lib/libssl/src/crypto/aes/aes_core.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: aes_core.c,v 1.12 2015/02/10 09:46:30 miod Exp $ */
+/* $OpenBSD: aes_core.c,v 1.13 2015/11/05 21:59:13 miod Exp $ */
 /**
  * rijndael-alg-fst.c
  *
@@ -1132,28 +1132,28 @@ AES_decrypt(const unsigned char *in, unsigned char *out, const AES_KEY *key)
 	 * map cipher state to byte array block:
 	 */
 	s0 =
-	    (Td4[(t0 >> 24)] << 24) ^
+	    (((uint32_t)Td4[(t0 >> 24)]) << 24) ^
 	    (Td4[(t3 >> 16) & 0xff] << 16) ^
 	    (Td4[(t2 >> 8) & 0xff] <<  8) ^
 	    (Td4[(t1) & 0xff]) ^
 	    rk[0];
 	PUTU32(out, s0);
 	s1 =
-	    (Td4[(t1 >> 24)] << 24) ^
+	    (((uint32_t)Td4[(t1 >> 24)]) << 24) ^
 	    (Td4[(t0 >> 16) & 0xff] << 16) ^
 	    (Td4[(t3 >> 8) & 0xff] <<  8) ^
 	    (Td4[(t2) & 0xff]) ^
 	    rk[1];
 	PUTU32(out + 4, s1);
 	s2 =
-	    (Td4[(t2 >> 24)] << 24) ^
+	    (((uint32_t)Td4[(t2 >> 24)]) << 24) ^
 	    (Td4[(t1 >> 16) & 0xff] << 16) ^
 	    (Td4[(t0 >> 8) & 0xff] <<  8) ^
 	    (Td4[(t3) & 0xff]) ^
 	    rk[2];
 	PUTU32(out + 8, s2);
 	s3 =
-	    (Td4[(t3 >> 24)] << 24) ^
+	    (((uint32_t)Td4[(t3 >> 24)]) << 24) ^
 	    (Td4[(t2 >> 16) & 0xff] << 16) ^
 	    (Td4[(t1 >> 8) & 0xff] <<  8) ^
 	    (Td4[(t0) & 0xff]) ^