gpg: Fix possible out-of-bounds read in is_armored.

* g10/armor.c (check_input): Call is_armored only if LEN >= 2. (unarmor_pump): Use a 2 byte buffer for is_armored. -- Fixes-commit: 605276ef8c Signed-off-by: Werner Koch <wk@gnupg.org>
2016-07-05 18:49:06 +02:00 · 2016-07-05 18:49:06 +02:00 · 5d1a9c4dc8
parent 8270580a5a
commit 5d1a9c4dc8
1 changed files with 11 additions and 5 deletions
--- a/g10/armor.c
+++ b/g10/armor.c
@ -190,13 +190,18 @@ initialize(void)
    is_initialized=1;
 }

-/****************
- * Check whether this is an armored file or not See also
+
+/*
+ * Check whether this is an armored file.  See also
 * parse-packet.c for details on this code.
+ *
+ * Note that the buffer BUF needs to be at least 2 bytes long.  If in
+ * doubt that the second byte to 0.
+ *
 * Returns: True if it seems to be armored
 */
 static int
-is_armored( const byte *buf )
+is_armored (const byte *buf)
 {
  int ctb, pkttype;
  int indeterminate_length_allowed;
@ -532,7 +537,7 @@ check_input( armor_filter_context_t *afx, IOBUF a )
    /* (the line is always a C string but maybe longer) */
    if( *line == '\n' || ( len && (*line == '\r' && line[1]=='\n') ) )
 	;
-    else if( !is_armored( line ) ) {
+    else if (len >= 2 && !is_armored (line)) {
 	afx->inp_checked = 1;
 	afx->inp_bypass = 1;
 	return 0;
@ -1411,8 +1416,9 @@ unarmor_pump (UnarmorPump x, int c)
    switch (x->state) {
      case STA_init:
        {
-            byte tmp[1];
+            byte tmp[2];
            tmp[0] = c;
+            tmp[1] = 0;
            if ( is_armored (tmp) )
                x->state = c == '-'? STA_first_dash : STA_wait_newline;
            else {