From f3dfbe3fcdc0329fcc11524538d6f78beb94cde8 Mon Sep 17 00:00:00 2001
From: Collin Funk via Gnupg-devel <gnupg-devel@gnupg.org>
Date: Fri, 23 May 2025 23:52:46 -0700
Subject: common: Fix read buffer over-read in uncompress_ecc_q_in_canon_sexp.

* common/sexputil.c (uncompress_ecc_q_in_canon_sexp): Only call memcmp
if the lengths are equal.

--

GnuPG-bug-id: 7662
Signed-off-by: Collin Funk <collin.funk1@gmail.com>
---
 common/sexputil.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/common/sexputil.c b/common/sexputil.c
index b97e174a1..349c38333 100644
--- a/common/sexputil.c
+++ b/common/sexputil.c
@@ -784,11 +784,11 @@ uncompress_ecc_q_in_canon_sexp (const unsigned char *keydata,
     return err;
   if (!tok)
     return gpg_error (GPG_ERR_BAD_PUBKEY);
-  else if (toklen == 10 || !memcmp ("public-key", tok, toklen))
+  else if (toklen == 10 && !memcmp ("public-key", tok, toklen))
     ;
-  else if (toklen == 11 || !memcmp ("private-key", tok, toklen))
+  else if (toklen == 11 && !memcmp ("private-key", tok, toklen))
     ;
-  else if (toklen == 20 || !memcmp ("shadowed-private-key", tok, toklen))
+  else if (toklen == 20 && !memcmp ("shadowed-private-key", tok, toklen))
     ;
   else
     return gpg_error (GPG_ERR_BAD_PUBKEY);
-- 
cgit v1.2.3