Fixed that nasty 64 bit but.

g10/ChangeLog

@@ -1,3 +1,10 @@
+2006-11-10  Werner Koch  <wk@g10code.com>
+
+	* parse-packet.c (mpi_read): Changed NREAD to size_t to match the
+	gcry_mpi-scan prototype. 
+	(mpi_read): Fixed double increment of bytes read to correctly
+	detect overlong MPIs.
+
 2006-11-05  Werner Koch  <wk@g10code.com>
 
 	* gpg.c (main): Remove the default --require-cross-certification.

g10/parse-packet.c

@@ -112,41 +112,41 @@ mpi_read (iobuf_t inp, unsigned int *ret_nread, int secure)
   /*FIXME: Needs to be synced with gnupg14/mpi/mpicoder.c*/
 
   int c, c1, c2, i;
-  unsigned int nbits, nbytes, nread=0;
+  unsigned int nbits, nbytes;
+  size_t nread;
   gcry_mpi_t a = NULL;
   byte *buf = NULL;
   byte *p;
   
-  if( (c = c1 = iobuf_get(inp)) == -1 )
+  if ( (c = c1 = iobuf_get (inp)) == -1 )
     goto leave;
   nbits = c << 8;
-  if( (c = c2 = iobuf_get(inp)) == -1 )
+  if ( (c = c2 = iobuf_get (inp)) == -1 )
     goto leave;
   nbits |= c;
-  if( nbits > MAX_EXTERN_MPI_BITS ) 
+  if ( nbits > MAX_EXTERN_MPI_BITS ) 
     {
       log_error("mpi too large (%u bits)\n", nbits);
       goto leave;
     }
   nread = 2;
   nbytes = (nbits+7) / 8;
-  buf = secure? gcry_xmalloc_secure( nbytes+2 ) : gcry_xmalloc( nbytes+2 );
+  buf = secure ? gcry_xmalloc_secure (nbytes + 2) : gcry_xmalloc (nbytes + 2);
   p = buf;
   p[0] = c1;
   p[1] = c2;
-  for( i=0 ; i < nbytes; i++ ) 
+  for ( i=0 ; i < nbytes; i++ ) 
     {
       p[i+2] = iobuf_get(inp) & 0xff;
       nread++;
     }
-  nread += nbytes;
+  if ( gcry_mpi_scan( &a, GCRYMPI_FMT_PGP, buf, nread, &nread ) )
-  if( gcry_mpi_scan( &a, GCRYMPI_FMT_PGP, buf, nread, &nread ) )
     a = NULL;
     
  leave:
   gcry_free(buf);
-  if( nread > *ret_nread )
+  if ( nread > *ret_nread )
-    log_bug("mpi larger than packet");
+    log_bug ("mpi larger than packet");
   else
     *ret_nread = nread;
   return a;