[PATCH] Fix potential heap corruption in "gpg -v --version"

Dmitry V. Levin ldv at altlinux.org
Sat Oct 27 22:07:24 CEST 2012


On Sat, Oct 27, 2012 at 06:45:20PM +0200, Werner Koch wrote:
> On Sat, 27 Oct 2012 00:12, ldv at altlinux.org said:
> > * g10/gpg.c (build_list): Fix memory allocation arithmetics.
> 
> Please explain

I thought the patch is self-explanatory.
Well, in short, build_list() fails to allocate required heap memory properly.

In multibyte locales translated strings are usually longer (in bytes) than
in C locale.  The 1st argument of build_list() is a translated string.
When it is long enough, build_list() attempts to produce a multi-line
string with 2nd and other lines indented by the length of the 1st
argument.  The result looks ugly (because in a multibyte locale the length
of a string in characters is less than its length in bytes) but the main
problem is that build_list() fails to expand the buffer required to store
this multi-line string: all it does is
	list=xrealloc(list,n+spaces+1);
without updating "n" so the 2nd expand is no-op which unavoidably results
to a heap corruption.

Besides that, build_list() does other funny things with memory allocation
and string operations, e.g. its only purpose of doing "xmalloc( 21 + n )"
is confusing an observer because it doesn't need these extra 21 bytes,
it does
	for(;spaces;spaces--)
	  p=stpcpy(p, " ");
to append "spaces" space bytes to the string "p", and so on.

> and provide a test case.

The reproducer is as simple as "env -i LANG=ru_RU.utf8 gpg -v --version".
Do you want a patch for tests/openpgp/version.test that would invoke "gpg
-v --version" in a multibyte locale?  It would have to use po/*.mo files,
which would be tricky.


-- 
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: </pipermail/attachments/20121028/f3a7894a/attachment-0001.pgp>


More information about the Gnupg-devel mailing list