From 1755f33a478aeb787f8cf0d55ad6c628c30ff473 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Wed, 30 Jul 2014 11:04:55 +0200
Subject: [PATCH] Fix possible realloc overflow for gpgsm and uiserver engines.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* src/engine-gpgsm.c (status_handler):
* src/engine-uiserver.c (status_handler):
--

After a realloc (realloc is also used for initial alloc) the allocated
size if the buffer is not correctly recorded.  Thus an overflow can be
introduced by receiving data with different line lengths in a specific
order.  This is not easy exploitable because libassuan constructs the
line.  However a crash has been reported and thus it might be possible
to constructs an exploit.

CVE-id: CVE-2014-3564
Reported-by: Tomáš Trnka

Resolved conflicts:
	NEWS - removed
---
 src/engine-gpgsm.c    | 2 +-
 src/engine-uiserver.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/engine-gpgsm.c b/src/engine-gpgsm.c
index cee20e31..a7888ca5 100644
--- a/src/engine-gpgsm.c
+++ b/src/engine-gpgsm.c
@@ -837,7 +837,7 @@ status_handler (void *opaque, int fd)
 	      else
 		{
 		  *aline = newline;
-		  gpgsm->colon.attic.linesize += linelen + 1;
+		  gpgsm->colon.attic.linesize = *alinelen + linelen + 1;
 		}
 	    }
 	  if (!err)
diff --git a/src/engine-uiserver.c b/src/engine-uiserver.c
index bd140f90..350b609f 100644
--- a/src/engine-uiserver.c
+++ b/src/engine-uiserver.c
@@ -698,7 +698,7 @@ status_handler (void *opaque, int fd)
 	      else
 		{
 		  *aline = newline;
-		  uiserver->colon.attic.linesize += linelen + 1;
+		  uiserver->colon.attic.linesize = *alinelen + linelen + 1;
 		}
 	    }
 	  if (!err)