gpg: Fix possible out-of-bounds read in is_armored.

* g10/armor.c (check_input): Call is_armored only if LEN >= 2.
(unarmor_pump): Use a 2 byte buffer for is_armored.
--

Fixes-commit: 605276ef8cd449bfd574ae6c498fa5d7d265c5c7
Signed-off-by: Werner Koch <[email protected]>

1 files changed, 11 insertions, 5 deletions

diff --git a/g10/armor.c b/g10/armor.c
index e4503b8b4..9e58520a3 100644
--- a/g10/armor.c
+++ b/g10/armor.c
@@ -190,13 +190,18 @@ initialize(void)
     is_initialized=1;
 }
 
-/****************
- * Check whether this is an armored file or not See also
+
+/*
+ * Check whether this is an armored file.  See also
  * parse-packet.c for details on this code.
+ *
+ * Note that the buffer BUF needs to be at least 2 bytes long.  If in
+ * doubt that the second byte to 0.
+ *
  * Returns: True if it seems to be armored
  */
 static int
-is_armored( const byte *buf )
+is_armored (const byte *buf)
 {
   int ctb, pkttype;
   int indeterminate_length_allowed;
@@ -532,7 +537,7 @@ check_input( armor_filter_context_t *afx, IOBUF a )
     /* (the line is always a C string but maybe longer) */
     if( *line == '\n' || ( len && (*line == '\r' && line[1]=='\n') ) )
 	;
-    else if( !is_armored( line ) ) {
+    else if (len >= 2 && !is_armored (line)) {
 	afx->inp_checked = 1;
 	afx->inp_bypass = 1;
 	return 0;
@@ -1411,8 +1416,9 @@ unarmor_pump (UnarmorPump x, int c)
     switch (x->state) {
       case STA_init:
         {
-            byte tmp[1];
+            byte tmp[2];
             tmp[0] = c;
+            tmp[1] = 0;
             if ( is_armored (tmp) )
                 x->state = c == '-'? STA_first_dash : STA_wait_newline;
             else {