From 8f8c29d24ca13f987e6c118702b428a2051b7072 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Wed, 31 Oct 2012 16:09:06 +0900 Subject: [PATCH] agent: Fix wrong use of gcry_sexp_build_array * findkey.c (agent_public_key_from_file): Fix use of gcry_sexp_build_array. -- A test case leading to a segv in Libgcrypt is gpg-connect-agent \ "READKEY 9277C5875C8AFFCB727661C18BE4E0A0DEED9260" /bye The keygrip was created by "monkeysphere s", which has a comment. gcry_sexp_build_array expects pointers to the arguments which is quite surprising. Probably ARG_NEXT was accidentally implemented wrongly. Anyway, we can't do anything about it and thus need to fix the check the users of this function. Some-comments-by: Werner Koch --- agent/findkey.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/agent/findkey.c b/agent/findkey.c index 0b57390eb..b17870ef7 100644 --- a/agent/findkey.c +++ b/agent/findkey.c @@ -948,15 +948,15 @@ agent_public_key_from_file (ctrl_t ctrl, { p = stpcpy (p, "(uri %b)"); assert (argidx+1 < DIM (args)); - args[argidx++] = (void *)uri_length; - args[argidx++] = (void *)uri; + args[argidx++] = (void *)&uri_length; + args[argidx++] = (void *)&uri; } if (comment) { p = stpcpy (p, "(comment %b)"); assert (argidx+1 < DIM (args)); - args[argidx++] = (void *)comment_length; - args[argidx++] = (void*)comment; + args[argidx++] = (void *)&comment_length; + args[argidx++] = (void*)&comment; } *p++ = ')'; *p = 0;