From 9ae48b173c93f4747a9826beb1fbd023c4362c22 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Fri, 15 Nov 2013 08:36:39 +0100
Subject: [PATCH] kbx: Fix possible segv in kbxdump.

* kbx/keybox-dump.c (_keybox_dump_blob): Check length before get32.

Signed-off-by: Werner Koch <wk@gnupg.org>
---
 kbx/keybox-dump.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kbx/keybox-dump.c b/kbx/keybox-dump.c
index c397f9c81..1af6a9cba 100644
--- a/kbx/keybox-dump.c
+++ b/kbx/keybox-dump.c
@@ -402,7 +402,7 @@ _keybox_dump_blob (KEYBOXBLOB blob, FILE *fp)
   n = get32 (p ); p += 4;
   fprintf (fp, "Reserved-Space: %lu\n", n );
 
-  if (unhashed >= 24)
+  if (n >= 4 && unhashed >= 24)
     {
       n = get32 ( buffer + length - unhashed);
       fprintf (fp, "Storage-Flags: %08lx\n", n );