GpgFrontend/gpgme
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

core: Protect against a theoretical integer overflow in parsetlv.c

Browse Source 
* src/parsetlv.c (_gpgme_parse_tlv): Detect integer overflow.
--

Although there is no concrete case where we use for example
(to.nhdr+ti.length), it feels safer to protect against this anyway.
This commit is contained in:
Werner Koch 2022-10-24 13:50:41 +02:00
parent d9ac138595
commit 830e017e5d
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/parsetlv.c
View File

@ -98,6 +98,9 @@ _gpgme_parse_tlv (char const **buffer, size_t *size, tlvinfo_t *ti)
ti->length = len; ti->length = len;
} }
if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
return -1; /* Integer overflow. */
*buffer = (void*)buf; *buffer = (void*)buf;
*size = length; *size = length;
return 0; return 0;