Fixed memory allocation bug and typos.

g10/ChangeLog

@@ -1,3 +1,15 @@
+2006-07-26  Werner Koch  <wk@g10code.com>
+
+	* keygen.c (gen_card_key_with_backup): Initialize sk_{un}protected.
+
+	* import.c (import): Init KEYBLOCK.
+
+	* pkclist.c (edit_ownertrust): Intialize trust to avoid ggc
+	warning.
+
+	* parse-packet.c (parse_comment): Cap comments at 65k.
+	(parse_gpg_control): Skip too large control packets.
+
 2006-06-28  David Shaw  <dshaw@jabberwocky.com>
 
 	* keydb.h, pkclist.c (select_algo_from_prefs, algo_available):

g10/import.c

@@ -243,7 +243,7 @@ import( IOBUF inp, const char* fname,struct stats_s *stats,
 	unsigned char **fpr,size_t *fpr_len,unsigned int options )
 {
     PACKET *pending_pkt = NULL;
-    KBNODE keyblock;
+    KBNODE keyblock = NULL;
     int rc = 0;
 
     getkey_disable_caches();
@@ -566,10 +566,8 @@ check_prefs_warning(PKT_public_key *pk)
   log_info(_("WARNING: key %s contains preferences for unavailable\n"),
             keystr_from_pk(pk));
   /* TRANSLATORS: This string is belongs to the previous one.  They are
-     only split up to allow printing of a common prefix. The
-     check_prefs_warning tag is a hack to make this string unique.  */
-  log_info(_("         algorithms on these user IDs:\n"
-             "\0" "check_prefs_warning")); 
+     only split up to allow printing of a common prefix. */
+  log_info(_("         algorithms on these user IDs:\n"));
 }
 
 static void

g10/keygen.c

@@ -3495,6 +3495,8 @@ gen_card_key_with_backup (int algo, int keyno, int is_primary,
   size_t n;
   int i;
 
+  sk_unprotected = NULL;
+  sk_protected = NULL;
   rc = generate_raw_key (algo, 1024, make_timestamp (),
                          &sk_unprotected, &sk_protected);
   if (rc)

g10/parse-packet.c

@@ -2088,6 +2088,16 @@ parse_comment( IOBUF inp, int pkttype, unsigned long pktlen, PACKET *packet )
 {
     byte *p;
 
+    /* Cap comment packet at a reasonable value to avoid an integer
+       overflow in the malloc below.  Comment packets are actually not
+       anymore define my OpenPGP and we even stopped to use our
+       private comment packet. */
+    if (pktlen>65536)
+      {
+	log_error ("packet(%d) too large\n", pkttype);
+	iobuf_skip_rest (inp, pktlen, 0);
+	return G10ERR_INVALID_PACKET;
+      }
     packet->pkt.comment = xmalloc(sizeof *packet->pkt.comment + pktlen - 1);
     packet->pkt.comment->len = pktlen;
     p = packet->pkt.comment->data;
@@ -2097,7 +2107,7 @@ parse_comment( IOBUF inp, int pkttype, unsigned long pktlen, PACKET *packet )
     if( list_mode ) {
 	int n = packet->pkt.comment->len;
 	fprintf (listfp, ":%scomment packet: \"", pkttype == PKT_OLD_COMMENT?
-					 "OpenPGP draft " : "" );
+					 "OpenPGP draft " : "GnuPG " );
 	for(p=packet->pkt.comment->data; n; p++, n-- ) {
 	    if( *p >= ' ' && *p <= 'z' )
 		putc (*p, listfp);
@@ -2161,6 +2171,7 @@ parse_plaintext( IOBUF inp, int pkttype, unsigned long pktlen,
     }
     mode = iobuf_get_noeof(inp); if( pktlen ) pktlen--;
     namelen = iobuf_get_noeof(inp); if( pktlen ) pktlen--;
+    /* Note that namelen will never exceeds 255 byte. */
     pt = pkt->pkt.plaintext = xmalloc(sizeof *pkt->pkt.plaintext + namelen -1);
     pt->new_ctb = new_ctb;
     pt->mode = mode;
@@ -2311,10 +2322,10 @@ parse_mdc( IOBUF inp, int pkttype, unsigned long pktlen,
 
 
 /*
- * This packet is internally generated by PGG (by armor.c) to
+ * This packet is internally generated by GPG (by armor.c) to
  * transfer some information to the lower layer.  To make sure that
  * this packet is really a GPG faked one and not one comming from outside,
- * we first check that tehre is a unique tag in it.
+ * we first check that there is a unique tag in it.
  * The format of such a control packet is:
  *   n byte  session marker
  *   1 byte  control type CTRLPKT_xxxxx
@@ -2340,6 +2351,9 @@ parse_gpg_control( IOBUF inp, int pkttype,
 	if ( sesmark[i] != iobuf_get_noeof(inp) )
             goto skipit;
     }
+    if (pktlen > 4096)
+      goto skipit; /* Definitely too large.  We skip it to avoid an
+                      overflow in the malloc. */
     if ( list_mode )
         puts ("- gpg control packet");
 

g10/pkclist.c

@@ -363,7 +363,7 @@ do_edit_ownertrust (PKT_public_key *pk, int mode,
 int
 edit_ownertrust (PKT_public_key *pk, int mode )
 {
-  unsigned int trust;
+  unsigned int trust = 0;  /* Needs to be initialized to avoid gcc warning. */
   int no_help = 0;
 
   for(;;)