From 35db798c2df7f31b52a9dd9d55ea60ae1f325be9 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Sun, 15 Mar 2015 12:07:21 +0100
Subject: [PATCH] common: Make openpgp_oid_to_str more robust.

* common/openpgp-oid.c (openpgp_oid_to_str): Take care of
gcry_mpi_get_opaque returning NULL.  Remove useless condition !BUF.
--

It is possible that an opaque MPI stores just a NULL pointer.  Take
care of that before incrementing the pointer.  We return an error in
this case because at least a length byte is required.

Found due to hint from stack 0.3:

  bug: anti-simplify
  model: |
    %tobool15 = icmp ne i8* %incdec.ptr, null, !dbg !567
    -->  true
  stack:
    - /home/wk/s/gnupg/common/openpgp-oid.c:220:0
  ncore: 1
  core:
    - /home/wk/s/gnupg/common/openpgp-oid.c:212:0
      - pointer overflow

Signed-off-by: Werner Koch <wk@gnupg.org>
---
 common/openpgp-oid.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/common/openpgp-oid.c b/common/openpgp-oid.c
index ccb67bbaa..7a758016b 100644
--- a/common/openpgp-oid.c
+++ b/common/openpgp-oid.c
@@ -192,7 +192,9 @@ openpgp_oid_to_str (gcry_mpi_t a)
 
   valmask = (unsigned long)0xfe << (8 * (sizeof (valmask) - 1));
 
-  if (!a || !gcry_mpi_get_flag (a, GCRYMPI_FLAG_OPAQUE))
+  if (!a
+      || !gcry_mpi_get_flag (a, GCRYMPI_FLAG_OPAQUE)
+      || !(buf = gcry_mpi_get_opaque (a, &lengthi)))
     {
       gpg_err_set_errno (EINVAL);
       return NULL;
@@ -217,7 +219,7 @@ openpgp_oid_to_str (gcry_mpi_t a)
   string = p = xtrymalloc (length*(1+3)+2+1);
   if (!string)
     return NULL;
-  if (!buf || !length)
+  if (!length)
     {
       *p = 0;
       return string;