From a75790b74095828f967c012eff7033f570d93077 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Thu, 8 Dec 2016 17:03:26 +0100
Subject: gpg: Fix the fix out-of-bounds access.

* g10/tofu.c (build_conflict_set): Revert to int* and fix calloc.
--

The original code used an int array and thus better keep that and do
not limit it to 128 entries.

Fixes-commit: c3008bffac68b6f31e9ae9bad837cdce5de7c0db
Fixes-commit: 3b5b94ceab7c0ed9501c5cf54b4efa17fcd7300a
Signed-off-by: Werner Koch <wk@gnupg.org>
---
 g10/tofu.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'g10/tofu.c')

diff --git a/g10/tofu.c b/g10/tofu.c
index abf1ab42d..d15b25f4f 100644
--- a/g10/tofu.c
+++ b/g10/tofu.c
@@ -2227,10 +2227,10 @@ build_conflict_set (tofu_dbs_t dbs,
     int j;
     strlist_t *prevp;
     strlist_t iter_next;
-    char *die;
+    int *die;
 
     log_assert (conflict_set_count > 0);
-    die = xtrycalloc (1, conflict_set_count);
+    die = xtrycalloc (conflict_set_count, sizeof *die);
     if (!die)
       {
         /*err = gpg_error_from_syserror ();*/
-- 
cgit v1.2.3