1 files changed, 25 insertions, 0 deletions

diff --git a/g10/parse-packet.c b/g10/parse-packet.c
index f9c4d16c2..21b3986df 100644
--- a/g10/parse-packet.c
+++ b/g10/parse-packet.c
@@ -1920,6 +1920,20 @@ parse_user_id( IOBUF inp, int pkttype, unsigned long pktlen, PACKET *packet )
 {
     byte *p;
 
+    /* Cap the size of a user ID at 2k: a value absurdly large enough
+       that there is no sane user ID string (which is printable text
+       as of RFC2440bis) that won't fit in it, but yet small enough to
+       avoid allocation problems.  A large pktlen may not be
+       allocatable, and a very large pktlen could actually cause our
+       allocation to wrap around in xmalloc to a small number. */
+
+    if(pktlen>2048)
+      {
+	log_error("packet(%d) too large\n", pkttype);
+	skip_rest(inp, pktlen);
+	return G10ERR_INVALID_PACKET;
+      }
+
     packet->pkt.user_id = m_alloc(sizeof *packet->pkt.user_id  + pktlen);
     packet->pkt.user_id->len = pktlen;
 
@@ -2014,6 +2028,17 @@ parse_comment( IOBUF inp, int pkttype, unsigned long pktlen, PACKET *packet )
 {
     byte *p;
 
+    /* Cap comment packet at a reasonable value to avoid an integer
+       overflow in the malloc below.  Comment packets are actually not
+       anymore define my OpenPGP and we even stopped to use our
+       private comment packet. */
+    if (pktlen>65536)
+      {
+	log_error ("packet(%d) too large\n", pkttype);
+	skip_rest (inp, pktlen);
+	return G10ERR_INVALID_PACKET;
+      }
+
     packet->pkt.comment = m_alloc(sizeof *packet->pkt.comment + pktlen - 1);
     packet->pkt.comment->len = pktlen;
     p = packet->pkt.comment->data;