From 830e017e5d5f51d956d1188860302655f3e727e9 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Mon, 24 Oct 2022 13:50:41 +0200
Subject: [PATCH] core: Protect against a theoretical integer overflow in
 parsetlv.c

* src/parsetlv.c (_gpgme_parse_tlv): Detect integer overflow.
--

Although there is no concrete case where we use for example
(to.nhdr+ti.length), it feels safer to protect against this anyway.
---
 src/parsetlv.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/parsetlv.c b/src/parsetlv.c
index 69f48eb4..e6ae44d6 100644
--- a/src/parsetlv.c
+++ b/src/parsetlv.c
@@ -98,6 +98,9 @@ _gpgme_parse_tlv (char const **buffer, size_t *size, tlvinfo_t *ti)
       ti->length = len;
     }
 
+  if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
+    return -1;  /* Integer overflow.  */
+
   *buffer = (void*)buf;
   *size = length;
   return 0;