gpg: Fix off-by-one read in the attribute subpacket parser.
authorWerner Koch <wk@gnupg.org>
Mon, 24 Nov 2014 16:28:25 +0000 (17:28 +0100)
committerWerner Koch <wk@gnupg.org>
Mon, 24 Nov 2014 16:28:25 +0000 (17:28 +0100)
* g10/parse-packet.c (parse_attribute_subpkts): Check that the
attribute packet is large enough for the subpacket type.
--

Reported-by: Hanno Böck
Signed-off-by: Werner Koch <wk@gnupg.org>
g10/parse-packet.c

index e0370aa..f75e21c 100644 (file)
@@ -2359,8 +2359,16 @@ parse_attribute_subpkts (PKT_user_id * uid)
       if (buflen < n)
        goto too_short;
 
-      attribs =
-       xrealloc (attribs, (count + 1) * sizeof (struct user_attribute));
+      if (!n)
+        {
+          /* Too short to encode the subpacket type.  */
+          if (opt.verbose)
+            log_info ("attribute subpacket too short\n");
+          break;
+        }
+
+      attribs = xrealloc (attribs,
+                          (count + 1) * sizeof (struct user_attribute));
       memset (&attribs[count], 0, sizeof (struct user_attribute));
 
       type = *buffer;