From 1b42fde8527f13d957a88da35829bd72e82b2b65 Mon Sep 17 00:00:00 2001
From: Jochen Hoenicke <hoenicke@gmail.com>
Date: Fri, 20 Mar 2015 21:36:01 +0100
Subject: [PATCH] Off by one error in word length.

This could lead to a buffer overrun if the final 0 byte is
written to current_word[j] after the loop.

Also document the limit of passphrase in mnemonic_to_seed.
---
 bip39.c | 3 ++-
 bip39.h | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/bip39.c b/bip39.c
index 7c78585808..5985fe8190 100644
--- a/bip39.c
+++ b/bip39.c
@@ -103,7 +103,7 @@ int mnemonic_check(const char *mnemonic)
 	while (mnemonic[i]) {
 		j = 0;
 		while (mnemonic[i] != ' ' && mnemonic[i] != 0) {
-			if (j >= sizeof(current_word)) {
+			if (j >= sizeof(current_word) - 1) {
 				return 0;
 			}
 			current_word[j] = mnemonic[i];
@@ -145,6 +145,7 @@ int mnemonic_check(const char *mnemonic)
 	return 0;
 }
 
+// passphrase must be at most 256 characters or code may crash
 void mnemonic_to_seed(const char *mnemonic, const char *passphrase, uint8_t seed[512 / 8], void (*progress_callback)(uint32_t current, uint32_t total))
 {
 	uint8_t salt[8 + 256 + 4];
diff --git a/bip39.h b/bip39.h
index fe4d99e8ad..24a5b8d1b3 100644
--- a/bip39.h
+++ b/bip39.h
@@ -34,6 +34,7 @@ const char *mnemonic_from_data(const uint8_t *data, int len);
 
 int mnemonic_check(const char *mnemonic);
 
+// passphrase must be at most 256 characters or code may crash
 void mnemonic_to_seed(const char *mnemonic, const char *passphrase, uint8_t seed[512 / 8], void (*progress_callback)(uint32_t current, uint32_t total));
 
 const char * const *mnemonic_wordlist(void);