Found by oss-fuzz
Commit 01c87d4ce23bc9fc44ec5301c2c6bf2ce615c375 introduced a user-after-free
free_packet (pkt, NULL); is called before pt->namelen and other fields from this structure are accessed
And pt = pkt->pkt.plaintext got freed in free_packet
Bug can be triggered simply by a call to gpg --verify on a file with a single 0xaf byte
Patch is simply to displace a few lines down the call to free_packet
diff --git a/g10/mainproc.c b/g10/mainproc.c index 6fa30e0d4..5717f1cab 100644 --- a/g10/mainproc.c +++ b/g10/mainproc.c @@ -946,7 +946,6 @@ proc_plaintext( CTX c, PACKET *pkt ) if (rc) log_error ("handle plaintext failed: %s\n", gpg_strerror (rc)); - free_packet (pkt, NULL); c->last_was_session_key = 0; /* We add a marker control packet instead of the plaintext packet. @@ -973,6 +972,7 @@ proc_plaintext( CTX c, PACKET *pkt ) extrahash[extrahashlen++] = pt->timestamp >> 8; extrahash[extrahashlen++] = pt->timestamp ; } + free_packet (pkt, NULL); n = new_kbnode (create_gpg_control (CTRLPKT_PLAINTEXT_MARK, extrahash, extrahashlen));