gpg: Fix off-by-one read in the attribute subpacket parser.

* g10/parse-packet.c (parse_attribute_subpkts): Check that the attribute packet is large enough for the subpacket type. -- Reported-by: Hanno Böck Signed-off-by: Werner Koch <wk@gnupg.org> (backported from commit 0988764397f99db4efef1eabcdb8072d6159af76)
2025-01-21 14:47:03 +01:00 · 2014-11-24 19:38:04 +01:00 · 2014-11-24 19:38:04 +01:00 · 2b4809406b
commit 2b4809406b
parent 69767ccf42
1 changed files with 8 additions and 0 deletions
--- a/g10/parse-packet.c
+++ b/g10/parse-packet.c
@ -2026,6 +2026,14 @@ parse_attribute_subpkts(PKT_user_id *uid)
      if( buflen < n )
 	goto too_short;

+      if (!n)
+        {
+          /* Too short to encode the subpacket type.  */
+          if (opt.verbose)
+            log_info ("attribute subpacket too short\n");
+          break;
+        }
+
      attribs=xrealloc(attribs,(count+1)*sizeof(struct user_attribute));
      memset(&attribs[count],0,sizeof(struct user_attribute));