[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: cvs bug -- write/read beyond end of allocated area
From: |
Larry Jones |
Subject: |
Re: cvs bug -- write/read beyond end of allocated area |
Date: |
Wed, 30 Mar 2011 15:54:00 -0400 |
David Taylor writes:
>
> Here's a patch (cvs diff -u) against the trunk. After applying this
> patch, valgrind no longer complains and basica-o7 passes rather than
> abort.
>
> Index: gpg.c
> ===================================================================
> RCS file: /sources/cvs/ccvs/src/gpg.c,v
> retrieving revision 1.4
> diff -u -r1.4 gpg.c
> --- gpg.c 24 May 2006 16:38:50 -0000 1.4
> +++ gpg.c 30 Mar 2011 14:51:10 -0000
> @@ -404,7 +404,7 @@
> size_t raw_idx = 0;
>
> /* Enough to store the subpacket length. */
> - spout->raw = xmalloc (4);
> + spout->raw = xmalloc (5);
>
> if ((rc = read_u8 (bpin, &c)))
> return rc;
> @@ -435,7 +435,7 @@
> error (1, 0, "Received zero length subpacket in OpenPGP signature.");
>
> /* Allocate enough bytes for the rest of the subpacket. */
> - spout->raw = xrealloc (spout->raw, splen);
> + spout->raw = xrealloc (spout->raw, splen + 1);
>
> /* Read the subpacket type. */
> if ((rc = read_u8 (bpin, &c)))
Thanks. I've checked this in with one change: the second change should
actually be ``splen + raw_idx'' rather than ``splen + 1'' since you need
room for splen bytes in addition to the header that's already been
stored.
--
Larry Jones
Temporary insanity! That's all it was! -- Calvin