diff options
| author | Werner Koch <[email protected]> | 2014-06-20 08:39:26 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2014-06-20 18:23:19 +0000 |
| commit | 11fdfcf82bd8d2b5bc38292a29876e10770f4b0a (patch) | |
| tree | b482c72fc1be1cfe04fc6affe4c312161bae4b98 | |
| parent | gpg: Need to init the trustdb for import. (diff) | |
| download | gnupg-11fdfcf82bd8d2b5bc38292a29876e10770f4b0a.tar.gz gnupg-11fdfcf82bd8d2b5bc38292a29876e10770f4b0a.zip | |
gpg: Avoid infinite loop in uncompressing garbled packets.
* g10/compress.c (do_uncompress): Limit the number of extra FF bytes.
--
A packet like (a3 01 5b ff) leads to an infinite loop. Using
--max-output won't help if it is a partial packet. This patch
actually fixes a regression introduced on 1999-05-31 (c34c6769).
Actually it would be sufficient to stuff just one extra 0xff byte.
Given that this problem popped up only after 15 years, I feel safer to
allow for a very few FF bytes.
Thanks to Olivier Levillain and Florian Maury for their detailed
report.
| -rw-r--r-- | g10/compress.c | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/g10/compress.c b/g10/compress.c index 2c1617422..07c9e5e9c 100644 --- a/g10/compress.c +++ b/g10/compress.c @@ -131,7 +131,7 @@ init_uncompress( compress_filter_context_t *zfx, z_stream *zs ) * PGP uses a windowsize of 13 bits. Using a negative value for * it forces zlib not to expect a zlib header. This is a * undocumented feature Peter Gutmann told me about. - * + * * We must use 15 bits for the inflator because CryptoEx uses 15 * bits thus the output would get scrambled w/o error indication * if we would use 13 bits. For the uncompressing this does not @@ -155,7 +155,8 @@ do_uncompress( compress_filter_context_t *zfx, z_stream *zs, IOBUF a, size_t *ret_len ) { int zrc; - int rc=0; + int rc = 0; + int leave = 0; size_t n; int nread, count; int refill = !zs->avail_in; @@ -178,13 +179,14 @@ do_uncompress( compress_filter_context_t *zfx, z_stream *zs, if( nread == -1 ) nread = 0; n += nread; - /* If we use the undocumented feature to suppress - * the zlib header, we have to give inflate an - * extra dummy byte to read */ - if( nread < count && zfx->algo == 1 ) { - *(zfx->inbuf + n) = 0xFF; /* is it really needed ? */ - zfx->algo1hack = 1; + /* Algo 1 has no zlib header which requires us to to give + * inflate an extra dummy byte to read. To be on the safe + * side we allow for up to 4 ff bytes. */ + if( nread < count && zfx->algo == 1 && zfx->algo1hack < 4) { + *(zfx->inbuf + n) = 0xFF; + zfx->algo1hack++; n++; + leave = 1; } zs->avail_in = n; } @@ -208,7 +210,8 @@ do_uncompress( compress_filter_context_t *zfx, z_stream *zs, else log_fatal("zlib inflate problem: rc=%d\n", zrc ); } - } while( zs->avail_out && zrc != Z_STREAM_END && zrc != Z_BUF_ERROR ); + } while (zs->avail_out && zrc != Z_STREAM_END && zrc != Z_BUF_ERROR + && !leave); *ret_len = zfx->outbufsize - zs->avail_out; if( DBG_FILTER ) log_debug("do_uncompress: returning %u bytes\n", (unsigned)*ret_len ); |