[PATCH gnupg] common: Fix read buffer over-read in uncompress_ecc_q_in_canon_sexp.
Collin Funk
collin.funk1 at gmail.com
Sat May 24 08:52:46 CEST 2025
* common/sexputil.c (uncompress_ecc_q_in_canon_sexp): Only call memcmp
if the lengths are equal.
--
GnuPG-bug-id: 7662
Signed-off-by: Collin Funk <collin.funk1 at gmail.com>
---
common/sexputil.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/common/sexputil.c b/common/sexputil.c
index e00590ac7..fcd15ebc6 100644
--- a/common/sexputil.c
+++ b/common/sexputil.c
@@ -784,11 +784,11 @@ uncompress_ecc_q_in_canon_sexp (const unsigned char *keydata,
return err;
if (!tok)
return gpg_error (GPG_ERR_BAD_PUBKEY);
- else if (toklen == 10 || !memcmp ("public-key", tok, toklen))
+ else if (toklen == 10 && !memcmp ("public-key", tok, toklen))
;
- else if (toklen == 11 || !memcmp ("private-key", tok, toklen))
+ else if (toklen == 11 && !memcmp ("private-key", tok, toklen))
;
- else if (toklen == 20 || !memcmp ("shadowed-private-key", tok, toklen))
+ else if (toklen == 20 && !memcmp ("shadowed-private-key", tok, toklen))
;
else
return gpg_error (GPG_ERR_BAD_PUBKEY);
--
2.49.0
More information about the Gnupg-devel
mailing list