core: Protect against a theoretical integer overflow in parsetlv.c

* src/parsetlv.c (_gpgme_parse_tlv): Detect integer overflow. -- Although there is no concrete case where we use for example (to.nhdr+ti.length), it feels safer to protect against this anyway.
author: Werner Koch <[email protected]> 2022-10-24 11:50:41 +0000
committer: Werner Koch <[email protected]> 2022-10-24 11:50:41 +0000
commit: 830e017e5d5f51d956d1188860302655f3e727e9 (patch)
tree: 80d9df9665e93a2a5944a4c6490046562fe69c7a /src/parsetlv.c
parent: cpp: Allow setting the curve to use when generating ECC keys (diff)
download: gpgme-830e017e5d5f51d956d1188860302655f3e727e9.tar.gz
gpgme-830e017e5d5f51d956d1188860302655f3e727e9.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/src/parsetlv.c b/src/parsetlv.c
index 69f48eb4..e6ae44d6 100644
--- a/src/parsetlv.c
+++ b/src/parsetlv.c
@@ -98,6 +98,9 @@ _gpgme_parse_tlv (char const **buffer, size_t *size, tlvinfo_t *ti)
       ti->length = len;
     }
 
+  if (ti->length > ti->nhdr && (ti->nhdr + ti->length) < ti->length)
+    return -1;  /* Integer overflow.  */
+
   *buffer = (void*)buf;
   *size = length;
   return 0;
author	Werner Koch <[email protected]>	2022-10-24 11:50:41 +0000
committer	Werner Koch <[email protected]>	2022-10-24 11:50:41 +0000
commit	830e017e5d5f51d956d1188860302655f3e727e9 (patch)
tree	80d9df9665e93a2a5944a4c6490046562fe69c7a /src/parsetlv.c
parent	cpp: Allow setting the curve to use when generating ECC keys (diff)
download	gpgme-830e017e5d5f51d956d1188860302655f3e727e9.tar.gz gpgme-830e017e5d5f51d956d1188860302655f3e727e9.zip