Sophie

Sophie

distrib > Mandriva > 10.2 > x86_64 > by-pkgid > ed6e26dc7c4d02b69ebcbdc01c71d280 > files > 3

gnupg-1.4.2.2-0.2.102mdk.src.rpm

--- gnupg-1.4.2.2/g10/parse-packet.c.cve-2006-3082	2006-02-14 03:10:17.000000000 -0700
+++ gnupg-1.4.2.2/g10/parse-packet.c	2006-06-20 11:08:21.224866381 -0600
@@ -1982,6 +1982,20 @@
 parse_user_id( IOBUF inp, int pkttype, unsigned long pktlen, PACKET *packet )
 {
     byte *p;
+    
+    /* Cap the size of a user ID at 2k: a value absurdly large enough
+       that there is no sane user ID string (which is printable text
+       as of RFC2440bis) that won't fit in it, but yet small enough to
+       avoid allocation problems.  A large pktlen may not be
+       allocatable, and a very large pktlen could actually cause our
+       allocation to wrap around in xmalloc to a small number. */
+
+    if(pktlen>2048)
+      {
+       log_error("packet(%d) too large\n", pkttype);
+       iobuf_skip_rest(inp, pktlen, 0);
+       return G10ERR_INVALID_PACKET;
+      }
 
     packet->pkt.user_id = m_alloc(sizeof *packet->pkt.user_id  + pktlen);
     packet->pkt.user_id->len = pktlen;

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional