* pkclist.c (select_algo_from_prefs): Make sure the scores can't

overflow when picking an algorithm (not a security issue since we
can't pick something not present in all preference lists, but we might
pick something that isn't scored first choice).

2 files changed, 17 insertions, 4 deletions

diff --git a/g10/ChangeLog b/g10/ChangeLog
index e15ed8dd1..6e6c7c379 100644
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@@ -1,3 +1,10 @@
+2010-10-29  David Shaw  <[email protected]>
+
+	* pkclist.c (select_algo_from_prefs): Make sure the scores can't
+	overflow when picking an algorithm (not a security issue since we
+	can't pick something not present in all preference lists, but we
+	might pick something that isn't scored first choice).
+
 2010-10-27  Werner Koch  <[email protected]>
 
 	* keygen.c (ask_expire_interval): Print 2038 warning only for 32
diff --git a/g10/pkclist.c b/g10/pkclist.c
index 534b59298..9c8315540 100644
--- a/g10/pkclist.c
+++ b/g10/pkclist.c
@@ -1,6 +1,6 @@
 /* pkclist.c
  * Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007,
- *               2008 Free Software Foundation, Inc.
+ *               2008, 2010 Free Software Foundation, Inc.
  *
  * This file is part of GnuPG.
  *
@@ -1267,8 +1267,8 @@ select_algo_from_prefs(PK_LIST pk_list, int preftype,
   const prefitem_t *prefs;
   int result=-1,i;
   unsigned int best=-1;    
-  byte scores[256];
-    
+  u16 scores[256];
+
   if( !pk_list )
     return -1;
 
@@ -1330,7 +1330,13 @@ select_algo_from_prefs(PK_LIST pk_list, int preftype,
 	    {
 	      if( prefs[i].type == preftype )
 		{
-		  scores[prefs[i].value]+=rank;
+		  /* Make sure all scores don't add up past 0xFFFF
+		     (and roll around) */
+		  if(rank+scores[prefs[i].value]<=0xFFFF)
+		    scores[prefs[i].value]+=rank;
+		  else
+		    scores[prefs[i].value]=0xFFFF;
+
 		  mask[prefs[i].value/32] |= 1<<(prefs[i].value%32);
 
 		  rank++;