parse_key doesn't check for EOF when it encounters an RFC1991 comment packet when
listing packets. This results in it emitting a large number (up to ~ 2^33) of 'F'
characters on listing a packet with negligible length.
The trivial patch to fix this is inline; a test-case is included in the tarball
attached.
This bug was found by Michał Zalewski's american-fuzzy-lop; it has been replicated with
the version of GnuPG 1.4.18 packaged with Ubuntu 14.04 x86/x86_64, as well as against
versions built directly from GnuPG 1.4.18 source tarballs on Ubuntu 14.04 x86/x86_64
and OSX.
From 7239d8e562e14e05ce83b0b9ca6d9900af5285d7 Mon Sep 17 00:00:00 2001
From: David Leon Gil <coruus@gmail.com>
Date: Wed, 10 Sep 2014 12:40:54 -0400
Subject: [PATCH] Fix failure to check for EOF in parse_key.
---
g10/parse-packet.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/g10/parse-packet.c b/g10/parse-packet.c
index 92fc399..888a280 100644
- a/g10/parse-packet.c
+++ b/g10/parse-packet.c
@@ -1631,7 +1631,9 @@ parse_key( IOBUF inp, int pkttype, unsigned long pktlen,
fprintf (listfp, ":rfc1991 comment packet: \"" );
for( ; pktlen; pktlen-- ) {
int c;- c = iobuf_get_noeof(inp);
+ c = iobuf_get(inp);
+ if( c == -1)
+ break;
if( c >= ' ' && c <= 'z' ) putc (c, listfp); else
1.8.5.2 (Apple Git-48)