gpg: Fix possible read of unallocated memory
authorWerner Koch <wk@gnupg.org>
Fri, 12 Dec 2014 09:41:25 +0000 (10:41 +0100)
committerNIIBE Yutaka <gniibe@fsij.org>
Tue, 13 Jan 2015 01:45:41 +0000 (10:45 +0900)
commitaab282855ada8dddee99c777c91829344e91f31a
tree93bda39ac0e9e52fab73dd29f51d723ceb1d8fec
parentc83e250ef36c28a275de74d96e89898e9f99cb1e
gpg: Fix possible read of unallocated memory

* g10/parse-packet.c (can_handle_critical): Check content length
before calling can_handle_critical_notation.
--

The problem was found by Jan Bee and gniibe proposed the used fix.
Thanks.

This bug can't be exploited: Only if the announced length of the
notation is 21 or 32 a memcmp against fixed strings using that length
would be done.  The compared data is followed by the actual signature
and thus it is highly likely that not even read of unallocated memory
will happen.  Nevertheless such a bug needs to be fixed.

Signed-off-by: Werner Koch <wk@gnupg.org>
g10/parse-packet.c