mirror of
git://git.gnupg.org/gnupg.git
synced 2025-07-03 22:56:33 +02:00
Fixed memory allocation bug and typos.
This commit is contained in:
Werner Koch
parent
c45f73774d
commit
ccd5fc4758
34 changed files with 2784 additions and 2984 deletions
|
|
@ -2088,6 +2088,16 @@ parse_comment( IOBUF inp, int pkttype, unsigned long pktlen, PACKET *packet )
|
|||
{
|
||||
byte *p;
|
||||
|
||||
/* Cap comment packet at a reasonable value to avoid an integer
|
||||
overflow in the malloc below. Comment packets are actually not
|
||||
anymore define my OpenPGP and we even stopped to use our
|
||||
private comment packet. */
|
||||
if (pktlen>65536)
|
||||
{
|
||||
log_error ("packet(%d) too large\n", pkttype);
|
||||
iobuf_skip_rest (inp, pktlen, 0);
|
||||
return G10ERR_INVALID_PACKET;
|
||||
}
|
||||
packet->pkt.comment = xmalloc(sizeof *packet->pkt.comment + pktlen - 1);
|
||||
packet->pkt.comment->len = pktlen;
|
||||
p = packet->pkt.comment->data;
|
||||
|
|
@ -2097,7 +2107,7 @@ parse_comment( IOBUF inp, int pkttype, unsigned long pktlen, PACKET *packet )
|
|||
if( list_mode ) {
|
||||
int n = packet->pkt.comment->len;
|
||||
fprintf (listfp, ":%scomment packet: \"", pkttype == PKT_OLD_COMMENT?
|
||||
"OpenPGP draft " : "" );
|
||||
"OpenPGP draft " : "GnuPG " );
|
||||
for(p=packet->pkt.comment->data; n; p++, n-- ) {
|
||||
if( *p >= ' ' && *p <= 'z' )
|
||||
putc (*p, listfp);
|
||||
|
|
@ -2161,6 +2171,7 @@ parse_plaintext( IOBUF inp, int pkttype, unsigned long pktlen,
|
|||
}
|
||||
mode = iobuf_get_noeof(inp); if( pktlen ) pktlen--;
|
||||
namelen = iobuf_get_noeof(inp); if( pktlen ) pktlen--;
|
||||
/* Note that namelen will never exceeds 255 byte. */
|
||||
pt = pkt->pkt.plaintext = xmalloc(sizeof *pkt->pkt.plaintext + namelen -1);
|
||||
pt->new_ctb = new_ctb;
|
||||
pt->mode = mode;
|
||||
|
|
@ -2311,10 +2322,10 @@ parse_mdc( IOBUF inp, int pkttype, unsigned long pktlen,
|
|||
|
||||
|
||||
/*
|
||||
* This packet is internally generated by PGG (by armor.c) to
|
||||
* This packet is internally generated by GPG (by armor.c) to
|
||||
* transfer some information to the lower layer. To make sure that
|
||||
* this packet is really a GPG faked one and not one comming from outside,
|
||||
* we first check that tehre is a unique tag in it.
|
||||
* we first check that there is a unique tag in it.
|
||||
* The format of such a control packet is:
|
||||
* n byte session marker
|
||||
* 1 byte control type CTRLPKT_xxxxx
|
||||
|
|
@ -2340,6 +2351,9 @@ parse_gpg_control( IOBUF inp, int pkttype,
|
|||
if ( sesmark[i] != iobuf_get_noeof(inp) )
|
||||
goto skipit;
|
||||
}
|
||||
if (pktlen > 4096)
|
||||
goto skipit; /* Definitely too large. We skip it to avoid an
|
||||
overflow in the malloc. */
|
||||
if ( list_mode )
|
||||
puts ("- gpg control packet");
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue