summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorWerner Koch <wk@gnupg.org>2014-07-30 11:04:55 +0200
committerDongHun Kwak <dh0128.kwak@samsung.com>2021-02-09 11:16:20 +0900
commit9ef4d8d890939ad97e8fa1ea57209bff93a1a66f (patch)
tree61bd83a292203bec1f054d5bb7e8fa12edc81b89
parent020813a39ceb976ef3bb0c4ba4ae5c8c1fbd268e (diff)
downloadgpgme-9ef4d8d890939ad97e8fa1ea57209bff93a1a66f.tar.gz
gpgme-9ef4d8d890939ad97e8fa1ea57209bff93a1a66f.tar.bz2
gpgme-9ef4d8d890939ad97e8fa1ea57209bff93a1a66f.zip
[CVE-2014-3564] Fix possible realloc overflow for gpgsm and uiserver engines.HEADsubmit/tizen/20210209.022029accepted/tizen/unified/20210210.052228tizenaccepted/tizen_unified
* src/engine-gpgsm.c (status_handler): * src/engine-uiserver.c (status_handler): -- After a realloc (realloc is also used for initial alloc) the allocated size if the buffer is not correctly recorded. Thus an overflow can be introduced by receiving data with different line lengths in a specific order. This is not easy exploitable because libassuan constructs the line. However a crash has been reported and thus it might be possible to constructs an exploit. Change-Id: I6d7bdc267f2e45be0ccd47fa4b68e0c358370e91 CVE-id: CVE-2014-3564 Reported-by: Tomáš Trnka Signed-off-by: DongHun Kwak <dh0128.kwak@samsung.com>
-rw-r--r--src/engine-gpgsm.c2
-rw-r--r--src/engine-uiserver.c2
2 files changed, 2 insertions, 2 deletions
diff --git a/src/engine-gpgsm.c b/src/engine-gpgsm.c
index 0620458..f35e1f7 100644
--- a/src/engine-gpgsm.c
+++ b/src/engine-gpgsm.c
@@ -834,7 +834,7 @@ status_handler (void *opaque, int fd)
else
{
*aline = newline;
- gpgsm->colon.attic.linesize += linelen + 1;
+ gpgsm->colon.attic.linesize = *alinelen + linelen + 1;
}
}
if (!err)
diff --git a/src/engine-uiserver.c b/src/engine-uiserver.c
index c705a4b..87ae162 100644
--- a/src/engine-uiserver.c
+++ b/src/engine-uiserver.c
@@ -699,7 +699,7 @@ status_handler (void *opaque, int fd)
else
{
*aline = newline;
- uiserver->colon.attic.linesize += linelen + 1;
+ uiserver->colon.attic.linesize = *alinelen + linelen + 1;
}
}
if (!err)