diff --git a/g10/ChangeLog b/g10/ChangeLog index bf414fbd8..5847bea2c 100644 --- a/g10/ChangeLog +++ b/g10/ChangeLog @@ -1,3 +1,10 @@ +2006-11-10 Werner Koch + + * parse-packet.c (mpi_read): Changed NREAD to size_t to match the + gcry_mpi-scan prototype. + (mpi_read): Fixed double increment of bytes read to correctly + detect overlong MPIs. + 2006-11-05 Werner Koch * gpg.c (main): Remove the default --require-cross-certification. diff --git a/g10/parse-packet.c b/g10/parse-packet.c index 5b8f2de64..d60d5d7dd 100644 --- a/g10/parse-packet.c +++ b/g10/parse-packet.c @@ -112,41 +112,41 @@ mpi_read (iobuf_t inp, unsigned int *ret_nread, int secure) /*FIXME: Needs to be synced with gnupg14/mpi/mpicoder.c*/ int c, c1, c2, i; - unsigned int nbits, nbytes, nread=0; + unsigned int nbits, nbytes; + size_t nread; gcry_mpi_t a = NULL; byte *buf = NULL; byte *p; - if( (c = c1 = iobuf_get(inp)) == -1 ) + if ( (c = c1 = iobuf_get (inp)) == -1 ) goto leave; nbits = c << 8; - if( (c = c2 = iobuf_get(inp)) == -1 ) + if ( (c = c2 = iobuf_get (inp)) == -1 ) goto leave; nbits |= c; - if( nbits > MAX_EXTERN_MPI_BITS ) + if ( nbits > MAX_EXTERN_MPI_BITS ) { log_error("mpi too large (%u bits)\n", nbits); goto leave; } nread = 2; nbytes = (nbits+7) / 8; - buf = secure? gcry_xmalloc_secure( nbytes+2 ) : gcry_xmalloc( nbytes+2 ); + buf = secure ? gcry_xmalloc_secure (nbytes + 2) : gcry_xmalloc (nbytes + 2); p = buf; p[0] = c1; p[1] = c2; - for( i=0 ; i < nbytes; i++ ) + for ( i=0 ; i < nbytes; i++ ) { p[i+2] = iobuf_get(inp) & 0xff; nread++; } - nread += nbytes; - if( gcry_mpi_scan( &a, GCRYMPI_FMT_PGP, buf, nread, &nread ) ) + if ( gcry_mpi_scan( &a, GCRYMPI_FMT_PGP, buf, nread, &nread ) ) a = NULL; leave: gcry_free(buf); - if( nread > *ret_nread ) - log_bug("mpi larger than packet"); + if ( nread > *ret_nread ) + log_bug ("mpi larger than packet"); else *ret_nread = nread; return a;