sexp: Improve argument checking of sexp parser.
authorWerner Koch <wk@gnupg.org>
Mon, 15 Jul 2019 07:17:06 +0000 (09:17 +0200)
committerWerner Koch <wk@gnupg.org>
Mon, 15 Jul 2019 07:17:06 +0000 (09:17 +0200)
* src/sexp.c (do_vsexp_sscan): Check for bad length in '%b'.

Signed-off-by: Werner Koch <wk@gnupg.org>
src/sexp.c

index a04ff3f..57d77d2 100644 (file)
@@ -1541,6 +1541,13 @@ do_vsexp_sscan (gcry_sexp_t *retsexp, size_t *erroff,
              ARG_NEXT (alen, int);
              ARG_NEXT (astr, const char *);
 
+              if (alen < 0)
+                {
+                  *erroff = p - buffer;
+                 err = GPG_ERR_INV_ARG;
+                  goto leave;
+                }
+
              MAKE_SPACE (alen);
              if (alen
                   && !_gcry_is_secure (c.sexp->d)