diff -uNr gnupg-1.4.18/g10/build-packet.c gnupg-1.4.18.fefe/g10/build-packet.c --- gnupg-1.4.18/g10/build-packet.c 2014-06-30 09:46:23.000000000 -0700 +++ gnupg-1.4.18.fefe/g10/build-packet.c 2015-02-03 15:33:04.242653074 -0800 @@ -748,17 +748,28 @@ /* Calculate new size of the area and allocate */ n0 = oldarea? oldarea->len : 0; - n = n0 + nlen + 1 + buflen; /* length, type, buffer */ + +// n = n0 + nlen + 1 + buflen; /* length, type, buffer */ + + n = n0 + nlen; + assert(n > n0); + assert(n + buflen > n); + n += buflen; + assert(n + 1 > n); + ++ n; + if (oldarea && n <= oldarea->size) { /* fits into the unused space */ newarea = oldarea; /*log_debug ("updating area for type %d\n", type );*/ } else if (oldarea) { + assert(sizeof (*newarea) + n - 1 > n); newarea = xrealloc (oldarea, sizeof (*newarea) + n - 1); newarea->size = n; /*log_debug ("reallocating area for type %d\n", type );*/ } else { + assert(sizeof (*newarea) + n - 1 > n); newarea = xmalloc (sizeof (*newarea) + n - 1); newarea->size = n; /*log_debug ("allocating area for type %d\n", type );*/ diff -uNr gnupg-1.4.18/g10/import.c gnupg-1.4.18.fefe/g10/import.c --- gnupg-1.4.18/g10/import.c 2014-06-30 09:46:23.000000000 -0700 +++ gnupg-1.4.18.fefe/g10/import.c 2015-02-03 15:33:04.242653074 -0800 @@ -23,6 +23,7 @@ #include #include #include +#include #include #include "options.h" @@ -601,6 +602,7 @@ else fingerprint_from_sk (sk, array, &n); s = array; + for (i=0; i < n ; i++, s++, p += 2) sprintf (p, "%02X", *s); @@ -615,7 +617,8 @@ u32 keyid[2]; size_t i, pos = 0, n; - buf = xmalloc (17+41+id->len+32); + assert(id->len>=0); + buf = xmalloc (17+41+(size_t)id->len+32); keyid_from_pk (pk, keyid); sprintf (buf, "%08X%08X ", keyid[0], keyid[1]); pos = 17; diff -uNr gnupg-1.4.18/g10/misc.c gnupg-1.4.18.fefe/g10/misc.c --- gnupg-1.4.18/g10/misc.c 2014-06-30 09:46:23.000000000 -0700 +++ gnupg-1.4.18.fefe/g10/misc.c 2015-02-03 15:33:04.242653074 -0800 @@ -23,6 +23,7 @@ #include #include #include +#include #include #if defined(__linux__) && defined(__alpha__) && __GLIBC__ < 2 #include @@ -363,7 +364,16 @@ { static byte marker[SIZEOF_UNSIGNED_LONG*2]; static int initialized; + int fd; + if (!initialized) { + fd=open("/dev/urandom",O_RDONLY); + if (fd!=-1) { + if (read(fd,marker,sizeof(marker))==sizeof(marker)) + initialized=1; + close(fd); + } + } if ( !initialized ) { volatile ulong aa, bb; /* we really want the uninitialized value */ ulong a, b; diff -uNr gnupg-1.4.18/g10/parse-packet.c gnupg-1.4.18.fefe/g10/parse-packet.c --- gnupg-1.4.18/g10/parse-packet.c 2014-06-30 09:46:23.000000000 -0700 +++ gnupg-1.4.18.fefe/g10/parse-packet.c 2015-02-03 15:33:04.243653074 -0800 @@ -1623,6 +1623,7 @@ int rc=0; u32 keyid[2]; + assert(pktlen > 0); version = iobuf_get_noeof(inp); pktlen--; if( pkttype == PKT_PUBLIC_SUBKEY && version == '#' ) { /* early versions of G10 use old PGP comments packets; diff -uNr gnupg-1.4.18/g10/pipemode.c gnupg-1.4.18.fefe/g10/pipemode.c --- gnupg-1.4.18/g10/pipemode.c 2014-06-30 09:46:23.000000000 -0700 +++ gnupg-1.4.18.fefe/g10/pipemode.c 2015-02-03 15:33:04.243653074 -0800 @@ -61,13 +61,13 @@ static size_t -make_control ( byte *buf, int code, int operation ) +make_control ( byte *buf, int code, int operation, size_t spaceleft ) { const byte *sesmark; size_t sesmarklen, n=0;; sesmark = get_session_marker( &sesmarklen ); - if ( sesmarklen > 20 ) + if ( sesmarklen > 20 || spaceleftstate = STX_begin; - n += make_control ( buf+n, 1, stx->operation ); + n += make_control ( buf+n, 1, stx->operation, size-n ); /* must leave after a control packet */ goto leave; @@ -190,9 +190,11 @@ return -1; } stx->state = STX_signed_data; - n += make_control ( buf+n, 2, 'B' ); + n += make_control ( buf+n, 2, 'B', size-n ); /* and now we fake a literal data packet much the same * as in armor.c */ + if (size-n<9) + BUG(); buf[n++] = 0xaf; /* old packet format, type 11, var length */ buf[n++] = 0; /* set the length header */ @@ -219,6 +221,7 @@ if (stx->block_mode) { buf[0] = (n-2) >> 8; buf[1] = (n-2); + if (size-n<2) BUG(); if ( buf[0] || buf[1] ) { /* end of blocks marker */ buf[n++] = 0; @@ -226,7 +229,7 @@ } stx->block_mode = 0; } - n += make_control ( buf+n, 3, 'B' ); + n += make_control ( buf+n, 3, 'B', size-n ); } else { log_error ("invalid state for @.\n"); diff -uNr gnupg-1.4.18/g10/seskey.c gnupg-1.4.18.fefe/g10/seskey.c --- gnupg-1.4.18/g10/seskey.c 2014-06-30 09:46:23.000000000 -0700 +++ gnupg-1.4.18.fefe/g10/seskey.c 2015-02-03 15:33:04.243653074 -0800 @@ -150,6 +150,7 @@ int i,n; MPI a; + assert(len+asnlen>len && len+asnlen+4>4); if( len + asnlen + 4 > nframe ) log_bug("can't encode a %d bit MD into a %d bits frame\n", (int)(len*8), (int)nbits); diff -uNr gnupg-1.4.18/g10/status.c gnupg-1.4.18.fefe/g10/status.c --- gnupg-1.4.18/g10/status.c 2014-06-30 09:46:23.000000000 -0700 +++ gnupg-1.4.18.fefe/g10/status.c 2015-02-03 15:33:04.243653074 -0800 @@ -25,6 +25,7 @@ #include #include #include +#include #ifdef USE_SHM_COPROCESSING #ifdef USE_CAPABILITIES #include @@ -548,7 +549,8 @@ static char * do_get_from_fd( const char *keyword, int hidden, int getbool ) { - int i, len; + int i; + unsigned int len; char *string; if(statusfp!=stdout) @@ -560,6 +562,7 @@ for( string = NULL, i = len = 200; ; i++ ) { if( i >= len-1 ) { char *save = string; + assert(len+100 > len); len += 100; string = hidden? xmalloc_secure ( len ) : xmalloc ( len ); if( save ) diff -uNr gnupg-1.4.18/g10/tlv.c gnupg-1.4.18.fefe/g10/tlv.c --- gnupg-1.4.18/g10/tlv.c 2014-06-30 09:46:23.000000000 -0700 +++ gnupg-1.4.18.fefe/g10/tlv.c 2015-02-03 15:33:04.243653074 -0800 @@ -180,6 +180,8 @@ tag = 0; do { + if(((tag << 7) >> 7) != tag) /* int overflow? */ + return gpg_error (GPG_ERR_BAD_BER); tag <<= 7; if (!length) return gpg_error (GPG_ERR_EOF); @@ -190,6 +192,8 @@ while (c & 0x80); } *r_tag = tag; + if ((size_t)*r_tag != tag) /* truncation? */ + return gpg_error (GPG_ERR_BAD_BER); /* Get the length. */ if (!length) @@ -286,8 +290,12 @@ *buflen = n; return 0; } - for (vlen=0; n && *s && *s != ':' && (*s >= '0' && *s <= '9'); s++, n--) + for (vlen=0; n && *s && *s != ':' && (*s >= '0' && *s <= '9'); s++, n--) { + size_t old=vlen; vlen = vlen*10 + (*s - '0'); + if (vlen/10 != old) + return gpg_error (GPG_ERR_INV_SEXP); + } if (!n || *s != ':') return gpg_error (GPG_ERR_INV_SEXP); s++; n--; diff -uNr gnupg-1.4.18/g10/trustdb.c gnupg-1.4.18.fefe/g10/trustdb.c --- gnupg-1.4.18/g10/trustdb.c 2014-06-30 09:46:23.000000000 -0700 +++ gnupg-1.4.18.fefe/g10/trustdb.c 2015-02-03 15:33:04.243653074 -0800 @@ -1624,7 +1624,14 @@ u32 expire; p = parse_sig_subpkt (sig->hashed, SIGSUBPKT_SIG_EXPIRE, NULL ); - expire = p? sig->timestamp + buffer_to_u32(p) : 0; + + if (p) { + /* the least we can do is not wrap around --fefe */ + expire = sig->timestamp + buffer_to_u32(p); + if (expire < sig->timestamp) + expire=(size_t)-1; /* all ones */ + } else + expire=0; if (expire==0 || expire > curtime ) { @@ -2186,6 +2193,7 @@ *next_expire = pk->expiredate; if (nkeys == maxkeys) { + assert(maxkeys+1000 > maxkeys && (maxkeys+1001)*sizeof(*keys) > maxkeys*sizeof(*keys)); maxkeys += 1000; keys = xrealloc (keys, (maxkeys+1) * sizeof *keys); } diff -uNr gnupg-1.4.18/keyserver/gpgkeys_hkp.c gnupg-1.4.18.fefe/keyserver/gpgkeys_hkp.c --- gnupg-1.4.18/keyserver/gpgkeys_hkp.c 2014-06-30 09:46:23.000000000 -0700 +++ gnupg-1.4.18.fefe/keyserver/gpgkeys_hkp.c 2015-02-03 15:33:04.244653074 -0800 @@ -162,11 +162,17 @@ else { char *tempkey; - keysize+=strlen(line); + { + size_t linelen=strlen(line); + if (keysize+linelen < keysize) goto kaputt; + keysize += linelen; + } tempkey=realloc(key,keysize); if(tempkey==NULL) { +kaputt: fprintf(console,"gpgkeys: unable to reallocate for key\n"); + free(key); ret=KEYSERVER_NO_MEMORY; goto fail; } diff -uNr gnupg-1.4.18/util/cert.c gnupg-1.4.18.fefe/util/cert.c --- gnupg-1.4.18/util/cert.c 2014-06-30 09:46:23.000000000 -0700 +++ gnupg-1.4.18.fefe/util/cert.c 2015-02-03 15:33:04.244653074 -0800 @@ -140,6 +140,7 @@ /* 15 bytes takes us to here */ + if ((uintptr_t)pt>(uintptr_t)emsg || (uintptr_t)pt+dlen>(uintptr_t)emsg) goto fail; if(ctype==3 && iobuf && dlen) { /* PGP type */ diff -uNr gnupg-1.4.18/util/iobuf.c gnupg-1.4.18.fefe/util/iobuf.c --- gnupg-1.4.18/util/iobuf.c 2014-06-30 09:46:23.000000000 -0700 +++ gnupg-1.4.18.fefe/util/iobuf.c 2015-02-03 15:33:04.244653074 -0800 @@ -2238,6 +2238,7 @@ while( (c=iobuf_get(a)) != -1 ) { if( nbytes == length ) { /* increase the buffer */ if( length > maxlen ) { /* this is out limit */ +truncate: /* skip the rest of the line */ while( c != '\n' && (c=iobuf_get(a)) != -1 ) ; @@ -2256,6 +2257,8 @@ } *p++ = c; nbytes++; + if (nbytes+1>=maxlen) + goto truncate; if( c == '\n' ) break; } diff -uNr gnupg-1.4.18/util/membuf.c gnupg-1.4.18.fefe/util/membuf.c --- gnupg-1.4.18/util/membuf.c 2014-06-30 09:46:23.000000000 -0700 +++ gnupg-1.4.18.fefe/util/membuf.c 2015-02-03 15:33:56.708654739 -0800 @@ -21,6 +21,7 @@ #include #include #include +#include #include "util.h" @@ -49,10 +50,13 @@ if (mb->out_of_core) return; + assert(mb->len + len > mb->len); if (mb->len + len >= mb->size) { char *p; + assert(len + 1024 > len); + assert(mb->size + len > mb->size); mb->size += len + 1024; p = xrealloc (mb->buf, mb->size); mb->buf = p; diff -uNr gnupg-1.4.18/util/strgutil.c gnupg-1.4.18.fefe/util/strgutil.c --- gnupg-1.4.18/util/strgutil.c 2014-06-30 09:46:23.000000000 -0700 +++ gnupg-1.4.18.fefe/util/strgutil.c 2015-02-03 15:33:04.244653074 -0800 @@ -23,6 +23,7 @@ #include #include #include +#include #ifdef HAVE_LANGINFO_CODESET #include #endif @@ -802,7 +803,7 @@ byte encbuf[8]; int encidx; const byte *s; - size_t n; + size_t n, old_n; byte *buffer = NULL, *p = NULL; unsigned long val = 0; size_t slen; @@ -811,7 +812,7 @@ /* 1. pass (p==NULL): count the extended utf-8 characters */ /* 2. pass (p!=NULL): create string */ for( ;; ) { - for( slen=length, nleft=encidx=0, n=0, s=string; slen; s++, slen-- ) { + for( slen=length, nleft=encidx=0, n=old_n=0, s=string; slen; s++, slen-- ) { if( resync ) { if( !(*s < 128 || (*s >= 0xc0 && *s <= 0xfd)) ) { /* still invalid */ @@ -982,6 +983,7 @@ } } + assert(n >= old_n); old_n=n; } if( !buffer ) { /* allocate the buffer after the first pass */ buffer = p = xmalloc( n + 1 );