File:cipher/dsa.c
Line number of error: 320

libgcrypt version 1.5.4 Code:

p = _gcry_generate_elg_prime (1, nbits, qbits, NULL, ret_factors);

      /* Get q out of factors.  */
      q = mpi_copy ((*ret_factors)[0]);
      gcry_assert (mpi_get_nbits (q) == qbits);

      /* Find a generator g (h and e are helpers).
         e = (p-1)/q */
      e = mpi_alloc (mpi_get_nlimbs (p));

-> Here p is being allocated value by function '_gcry_generate_elg_prime'
which has a very high probability of returning value NULL. So 'p' which may have
a NULL value is being dereferenced ,a few lines below, at line 320 during call
'mpi_alloc (mpi_get_nlimbs (p))' as 'mpi_get_nlimbs (p)'is equivalent to
p->nlimbs.

So an assert (gcry_assert) can be used to check 'p' for not being 'NULL' .

Recommended Code:

p = _gcry_generate_elg_prime (1, nbits, qbits, NULL, ret_factors);

      /* Get q out of factors.  */
      gcry_assert (p);
      q = mpi_copy ((*ret_factors)[0]);
      gcry_assert (mpi_get_nbits (q) == qbits);

      /* Find a generator g (h and e are helpers).
         e = (p-1)/q */
      e = mpi_alloc (mpi_get_nlimbs (p));

I am attaching a patch for the above mentioned bug.