From 5d1a9c4dc823b418db6c4686da55ee3abdf023b0 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Tue, 5 Jul 2016 18:49:06 +0200 Subject: gpg: Fix possible out-of-bounds read in is_armored. * g10/armor.c (check_input): Call is_armored only if LEN >= 2. (unarmor_pump): Use a 2 byte buffer for is_armored. -- Fixes-commit: 605276ef8cd449bfd574ae6c498fa5d7d265c5c7 Signed-off-by: Werner Koch --- g10/armor.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/g10/armor.c b/g10/armor.c index e4503b8b4..9e58520a3 100644 --- a/g10/armor.c +++ b/g10/armor.c @@ -190,13 +190,18 @@ initialize(void) is_initialized=1; } -/**************** - * Check whether this is an armored file or not See also + +/* + * Check whether this is an armored file. See also * parse-packet.c for details on this code. + * + * Note that the buffer BUF needs to be at least 2 bytes long. If in + * doubt that the second byte to 0. + * * Returns: True if it seems to be armored */ static int -is_armored( const byte *buf ) +is_armored (const byte *buf) { int ctb, pkttype; int indeterminate_length_allowed; @@ -532,7 +537,7 @@ check_input( armor_filter_context_t *afx, IOBUF a ) /* (the line is always a C string but maybe longer) */ if( *line == '\n' || ( len && (*line == '\r' && line[1]=='\n') ) ) ; - else if( !is_armored( line ) ) { + else if (len >= 2 && !is_armored (line)) { afx->inp_checked = 1; afx->inp_bypass = 1; return 0; @@ -1411,8 +1416,9 @@ unarmor_pump (UnarmorPump x, int c) switch (x->state) { case STA_init: { - byte tmp[1]; + byte tmp[2]; tmp[0] = c; + tmp[1] = 0; if ( is_armored (tmp) ) x->state = c == '-'? STA_first_dash : STA_wait_newline; else { -- cgit v1.2.3