Fix out of bounds copy on malformed PGP packet (#148)

Validate the packet is of correct size for the keyid type before copying. Ditto for similar code in signature creation time.
rpm-software-management · Feb 7, 2017 · 657553f · 657553f
1 parent e843855
commit 657553f
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/rpmio/rpmpgp.c b/rpmio/rpmpgp.c
@@ -423,6 +423,8 @@ static int pgpPrtSubType(const uint8_t *h, size_t hlen, pgpSigType sigtype,
 	    if (!(_digp->saved & PGPDIG_SAVED_TIME) &&
 		(sigtype == PGPSIGTYPE_POSITIVE_CERT || sigtype == PGPSIGTYPE_BINARY || sigtype == PGPSIGTYPE_TEXT || sigtype == PGPSIGTYPE_STANDALONE))
 	    {
+		if (plen-1 != sizeof(_digp->time))
+		    break;
 		_digp->saved |= PGPDIG_SAVED_TIME;
 		memcpy(_digp->time, p+1, sizeof(_digp->time));
 	    }
@@ -440,6 +442,8 @@ static int pgpPrtSubType(const uint8_t *h, size_t hlen, pgpSigType sigtype,
 	    if (!(_digp->saved & PGPDIG_SAVED_ID) &&
 		(sigtype == PGPSIGTYPE_POSITIVE_CERT || sigtype == PGPSIGTYPE_BINARY || sigtype == PGPSIGTYPE_TEXT || sigtype == PGPSIGTYPE_STANDALONE))
 	    {
+		if (plen-1 != sizeof(_digp->signid))
+		    break;
 		_digp->saved |= PGPDIG_SAVED_ID;
 		memcpy(_digp->signid, p+1, sizeof(_digp->signid));
 	    }