[git] GnuPG - branch, master, updated. gnupg-2.1.13-115-g5d1a9c4

by Werner Koch cvs at cvs.gnupg.org
Tue Jul 5 18:52:49 CEST 2016 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU Privacy Guard".

The branch, master has been updated
       via  5d1a9c4dc823b418db6c4686da55ee3abdf023b0 (commit)
      from  8270580a5a70874beeffcdd16221937db4bcdc93 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 5d1a9c4dc823b418db6c4686da55ee3abdf023b0
Author: Werner Koch <wk at gnupg.org>
Date:   Tue Jul 5 18:49:06 2016 +0200

    gpg: Fix possible out-of-bounds read in is_armored.
    
    * g10/armor.c (check_input): Call is_armored only if LEN >= 2.
    (unarmor_pump): Use a 2 byte buffer for is_armored.
    --
    
    Fixes-commit: 605276ef8cd449bfd574ae6c498fa5d7d265c5c7
    Signed-off-by: Werner Koch <wk at gnupg.org>

diff --git a/g10/armor.c b/g10/armor.c
index e4503b8..9e58520 100644
--- a/g10/armor.c
+++ b/g10/armor.c
@@ -190,13 +190,18 @@ initialize(void)
     is_initialized=1;
 }
 
-/****************
- * Check whether this is an armored file or not See also
+
+/*
+ * Check whether this is an armored file.  See also
  * parse-packet.c for details on this code.
+ *
+ * Note that the buffer BUF needs to be at least 2 bytes long.  If in
+ * doubt that the second byte to 0.
+ *
  * Returns: True if it seems to be armored
  */
 static int
-is_armored( const byte *buf )
+is_armored (const byte *buf)
 {
   int ctb, pkttype;
   int indeterminate_length_allowed;
@@ -532,7 +537,7 @@ check_input( armor_filter_context_t *afx, IOBUF a )
     /* (the line is always a C string but maybe longer) */
     if( *line == '\n' || ( len && (*line == '\r' && line[1]=='\n') ) )
 	;
-    else if( !is_armored( line ) ) {
+    else if (len >= 2 && !is_armored (line)) {
 	afx->inp_checked = 1;
 	afx->inp_bypass = 1;
 	return 0;
@@ -1411,8 +1416,9 @@ unarmor_pump (UnarmorPump x, int c)
     switch (x->state) {
       case STA_init:
         {
-            byte tmp[1];
+            byte tmp[2];
             tmp[0] = c;
+            tmp[1] = 0;
             if ( is_armored (tmp) )
                 x->state = c == '-'? STA_first_dash : STA_wait_newline;
             else {

-----------------------------------------------------------------------

Summary of changes:
 g10/armor.c | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)


hooks/post-receive
-- 
The GNU Privacy Guard
http://git.gnupg.org

More information about the Gnupg-commits mailing list