Use pgpGet() instead of manual bounds checks

This avoids undefined pointer arithmetic on errors. The new code is also simpler and properly rejects indefinite-length packets.
rpm-software-management · Jun 21, 2021 · 5479157 · 5479157
1 parent 072588c
commit 5479157
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
@@ -341,7 +341,7 @@ struct pgpPkt {
  * 			otherwise -1.
  */
 static int pgpGet(const uint8_t *s, size_t nbytes, const uint8_t *send,
-		  unsigned int *valp)
+		  size_t *valp)
 {
     int rc = -1;
 
@@ -373,9 +373,9 @@ static int decodePkt(const uint8_t *p, size_t plen, struct pgpPkt *pkt)
 	} else {
 	    /* Old format packet, body length encoding in tag byte */
 	    lenlen = (1 << (p[0] & 0x3));
-	    if (plen > lenlen) {
-		pkt->blen = pgpGrab(p+1, lenlen);
-	    }
+	    /* Reject indefinite length packets and check bounds */
+	    if (pgpGet(p + 1, lenlen, p + plen, &pkt->blen))
+		return rc;
 	    pkt->tag = (p[0] >> 2) & 0xf;
 	}
 	hlen = lenlen + 1;
@@ -581,7 +581,7 @@ static int pgpPrtSig(pgpTag tag, const uint8_t *h, size_t hlen,
 {
     uint8_t version = 0;
     const uint8_t * p;
-    unsigned int plen;
+    size_t plen;
     int rc = 1;
 
     if (pgpVersion(h, hlen, &version))