gpg: Fix segv due to NULL value stored as opaque MPI.
authorWerner Koch <wk@gnupg.org>
Thu, 19 Feb 2015 15:29:58 +0000 (16:29 +0100)
committerWerner Koch <wk@gnupg.org>
Thu, 19 Feb 2015 15:29:58 +0000 (16:29 +0100)
* g10/build-packet.c (gpg_mpi_write): Check for NULL return from
gcry_mpi_get_opaque.
(gpg_mpi_write_nohdr, do_key): Ditto.
* g10/keyid.c (hash_public_key): Ditto.
--

This fix extends commmit 0835d2f44ef62eab51fce6a927908f544e01cf8f.

  gpg2 --export --no-default-keyring --keyring TESTDATA

With TESTDATA being below after unpacking.

-----BEGIN PGP ARMORED FILE-----

mBMEhdkMmS8BcX8F//8F5voEhQAQmBMEnAAAZwAAo4D/f/8EhQAAAIAEnP8EhQAQ
iBMEnP8AAAAABf8jIID///8EhQYQmBMEnIUAEIgTBKT/AAAAAAUAACCA/f//BIUA
EJgTBJx/AP8ABPPzBJx/AP8ABPPz
=2yE0
-----END PGP ARMORED FILE-----

Reported-by: Jodie Cunningham
Signed-off-by: Werner Koch <wk@gnupg.org>
g10/build-packet.c
g10/keyid.c

index e44350e..557dffe 100644 (file)
@@ -171,7 +171,7 @@ gpg_mpi_write (iobuf_t out, gcry_mpi_t a)
       lenhdr[0] = nbits >> 8;
       lenhdr[1] = nbits;
       rc = iobuf_write (out, lenhdr, 2);
-      if (!rc)
+      if (!rc && p)
         rc = iobuf_write (out, p, (nbits+7)/8);
     }
   else
@@ -209,7 +209,7 @@ gpg_mpi_write_nohdr (iobuf_t out, gcry_mpi_t a)
       const void *p;
 
       p = gcry_mpi_get_opaque (a, &nbits);
-      rc = iobuf_write (out, p, (nbits+7)/8);
+      rc = p ? iobuf_write (out, p, (nbits+7)/8) : 0;
     }
   else
     rc = gpg_error (GPG_ERR_BAD_MPI);
@@ -393,7 +393,8 @@ do_key (iobuf_t out, int ctb, PKT_public_key *pk)
 
           assert (gcry_mpi_get_flag (pk->pkey[npkey], GCRYMPI_FLAG_OPAQUE));
           p = gcry_mpi_get_opaque (pk->pkey[npkey], &ndatabits);
-          iobuf_write (a, p, (ndatabits+7)/8 );
+          if (p)
+            iobuf_write (a, p, (ndatabits+7)/8 );
         }
       else
         {
index 9f7b70f..a0571b0 100644 (file)
@@ -179,7 +179,10 @@ hash_public_key (gcry_md_hd_t md, PKT_public_key *pk)
 
               p = gcry_mpi_get_opaque (pk->pkey[i], &nbits);
               pp[i] = xmalloc ((nbits+7)/8);
-              memcpy (pp[i], p, (nbits+7)/8);
+              if (p)
+                memcpy (pp[i], p, (nbits+7)/8);
+              else
+                pp[i] = NULL;
               nn[i] = (nbits+7)/8;
               n += nn[i];
             }
@@ -214,14 +217,18 @@ hash_public_key (gcry_md_hd_t md, PKT_public_key *pk)
   if(npkey==0 && pk->pkey[0]
      && gcry_mpi_get_flag (pk->pkey[0], GCRYMPI_FLAG_OPAQUE))
     {
-      gcry_md_write (md, pp[0], nn[0]);
+      if (pp[0])
+        gcry_md_write (md, pp[0], nn[0]);
     }
   else
-    for(i=0; i < npkey; i++ )
-      {
-       gcry_md_write ( md, pp[i], nn[i] );
-       xfree(pp[i]);
-      }
+    {
+      for(i=0; i < npkey; i++ )
+        {
+          if (pp[i])
+            gcry_md_write ( md, pp[i], nn[i] );
+          xfree(pp[i]);
+        }
+    }
 }