gpg: Fix possible memory corruption in the armor parser.

dd9jn · dd9jn · commit 4ecc5122f20e · 2025-12-30T09:55:58.000+01:00
* g10/armor.c (armor_filter): Fix faulty double increment. * common/iobuf.c (underflow_target): Assert that the filter implementations behave well. -- This fixes a bug in a code path which can only be reached with special crafted input data and would then error out at an upper layer due to corrupt input (every second byte in the buffer is unitialized garbage). No fuzzing has yet hit this case and we don't have a test case for this code path. However memory corruption can never be tolerated as it always has the protential for remode code execution. Reported-by: 8b79fe4dd0581c1cd000e1fbecba9f39e16a396a Fixes-commit: c27c741 which fixed Fixes-commit: 7d0efec Backported-from-master: 115d138 The bug was introduced on 1999-01-07 by me: * armor.c: Rewrote large parts. which I fixed on 1999-03-02 but missed to fix the other case: * armor.c (armor_filter): Fixed armor bypassing. Below is base64+gzipped test data which can be used with valgrind to show access to uninitalized memory in write(2) in the unpatched code. --8<---------------cut here---------------start------------->8--- H4sICIDd+WgCA3h4AO3QMQ6CQBCG0djOKbY3G05gscYFSRAJt/AExp6Di0cQG0ze a//MV0zOq3Pt+jFN3ZTKfLvP9ZLafqifJUe8juOjeZbVtSkbRPmRgICAgICAgICA gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA gICAgICAgICAgICAgICAgICAgICAgICAgMCXF6dYDgAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC7E14AAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADwZ94aieId3+8EAA== --8<---------------cut here---------------end--------------->8---
diff --git a/common/iobuf.c b/common/iobuf.c
@@ -2043,6 +2043,8 @@ underflow_target (iobuf_t a, int clear_pending_eof, size_t target)
 	rc = 0;
       else
       {
+        size_t tmplen;
+
 	/* If no buffered data and drain buffer has been setup, and drain
 	 * buffer is largish, read data directly to drain buffer. */
 	if (a->d.len == 0
@@ -2055,8 +2057,10 @@ underflow_target (iobuf_t a, int clear_pending_eof, size_t target)
 	      log_debug ("iobuf-%d.%d: underflow: A->FILTER (%lu bytes, to external drain)\n",
 			 a->no, a->subno, (ulong)len);
 
-	    rc = a->filter (a->filter_ov, IOBUFCTRL_UNDERFLOW, a->chain,
+            tmplen = len;  /* Used to check for bugs in the filter.  */
+            rc = a->filter (a->filter_ov, IOBUFCTRL_UNDERFLOW, a->chain,
 			    a->e_d.buf, &len);
+            log_assert (len <= tmplen);
 	    a->e_d.used = len;
 	    len = 0;
 	  }
@@ -2066,8 +2070,10 @@ underflow_target (iobuf_t a, int clear_pending_eof, size_t target)
 	      log_debug ("iobuf-%d.%d: underflow: A->FILTER (%lu bytes)\n",
 			 a->no, a->subno, (ulong)len);
 
+            tmplen = len;  /* Used to check for bugs in the filter.  */
 	    rc = a->filter (a->filter_ov, IOBUFCTRL_UNDERFLOW, a->chain,
 			    &a->d.buf[a->d.len], &len);
+            log_assert (len <= tmplen);
 	  }
       }
       a->d.len += len;
diff --git a/g10/armor.c b/g10/armor.c
@@ -1302,8 +1302,8 @@ armor_filter( void *opaque, int control,
 	n = 0;
 	if( afx->buffer_len ) {
             /* Copy the data from AFX->BUFFER to BUF.  */
-	    for(; n < size && afx->buffer_pos < afx->buffer_len; n++ )
-		buf[n++] = afx->buffer[afx->buffer_pos++];
+            for(; n < size && afx->buffer_pos < afx->buffer_len;)
+                buf[n++] = afx->buffer[afx->buffer_pos++];
 	    if( afx->buffer_pos >= afx->buffer_len )
 		afx->buffer_len = 0;
 	}
