[PATCH] Fix potential heap corruption in "gpg -v --version"
Dmitry V. Levin
ldv at altlinux.org
Sat Oct 27 00:12:47 CEST 2012
* g10/gpg.c (build_list): Fix memory allocation arithmetics.
---
Reproducer: env -i LANG=ru_RU.utf8 gpg -v --version
Relevant to 2.0 and 1.4 stable branches as well.
g10/gpg.c | 23 +++++++++++++----------
1 file changed, 13 insertions(+), 10 deletions(-)
diff --git a/g10/gpg.c b/g10/gpg.c
index b614a94..b9253b1 100644
--- a/g10/gpg.c
+++ b/g10/gpg.c
@@ -904,9 +904,12 @@ build_list( const char *text, char letter,
gcry_control (GCRYCTL_INIT_SECMEM, 0, 0); /* Drop setuid. */
for(i=0; i <= 110; i++ )
- if( !chkf(i) && (s=mapf(i)) )
- n += strlen(s) + 7 + 2;
- list = xmalloc( 21 + n ); *list = 0;
+ if( !chkf(i) && (s=mapf(i)) ) {
+ n += strlen(s) + 2;
+ if(opt.verbose && letter)
+ n += 7;
+ }
+ list = xmalloc(n); *list = 0;
for(p=NULL, i=0; i <= 110; i++ ) {
if( !chkf(i) && (s=mapf(i)) ) {
if( !p ) {
@@ -917,18 +920,18 @@ build_list( const char *text, char letter,
p = stpcpy( p, ", ");
if(strlen(line)>60) {
- int spaces=strlen(text);
+ size_t spaces = strlen(text);
- list=xrealloc(list,n+spaces+1);
+ n += spaces + 1;
+ list = xrealloc(list, n);
/* realloc could move the block, so find the end again */
- p=list;
- while(*p)
- p++;
+ p = list + strlen(list);
p=stpcpy(p, "\n");
line=p;
- for(;spaces;spaces--)
- p=stpcpy(p, " ");
+ memset(p, ' ', spaces);
+ p += spaces;
+ *p = '\0';
}
p = stpcpy(p, s );
--
ldv
More information about the Gnupg-devel
mailing list