diff options
| author | Werner Koch <[email protected]> | 2014-11-24 18:38:04 +0000 |
|---|---|---|
| committer | Werner Koch <[email protected]> | 2014-11-24 18:38:04 +0000 |
| commit | 2b4809406b6536cbb67a2282bf855710b8454dc2 (patch) | |
| tree | c579ab20aa0bd124b2d364a75301014797e22420 | |
| parent | gpg: Fix a NULL-deref for invalid input data. (diff) | |
| download | gnupg-2b4809406b6536cbb67a2282bf855710b8454dc2.tar.gz gnupg-2b4809406b6536cbb67a2282bf855710b8454dc2.zip | |
gpg: Fix off-by-one read in the attribute subpacket parser.
* g10/parse-packet.c (parse_attribute_subpkts): Check that the
attribute packet is large enough for the subpacket type.
--
Reported-by: Hanno Böck
Signed-off-by: Werner Koch <[email protected]>
(backported from commit 0988764397f99db4efef1eabcdb8072d6159af76)
| -rw-r--r-- | g10/parse-packet.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/g10/parse-packet.c b/g10/parse-packet.c index dcda8ef59..db1702f88 100644 --- a/g10/parse-packet.c +++ b/g10/parse-packet.c @@ -2026,6 +2026,14 @@ parse_attribute_subpkts(PKT_user_id *uid) if( buflen < n ) goto too_short; + if (!n) + { + /* Too short to encode the subpacket type. */ + if (opt.verbose) + log_info ("attribute subpacket too short\n"); + break; + } + attribs=xrealloc(attribs,(count+1)*sizeof(struct user_attribute)); memset(&attribs[count],0,sizeof(struct user_attribute)); |