From 02e847458369c08421fd2d5e9a16a5f272c2de9e Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Thu, 15 Aug 2024 11:13:47 +0200 Subject: [PATCH] openpgp: Avoid buffer overflow when writing fingerprint Fix also surrounding code to return error (not just log it) when some step fails. Thanks oss-fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=70933 Signed-off-by: Jakub Jelen CVE: CVE-2024-8443 Upstream-Status: Backport [https://github.com/OpenSC/OpenSC/commit/02e847458369c08421fd2d5e9a16a5f272c2de9e] Signed-off-by: Zhang Peng --- src/libopensc/card-openpgp.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c index f99ec0db9..3957440de 100644 --- a/src/libopensc/card-openpgp.c +++ b/src/libopensc/card-openpgp.c @@ -2756,14 +2756,21 @@ pgp_calculate_and_store_fingerprint(sc_card_t *card, time_t ctime, /* update the blob containing fingerprints (00C5) */ sc_log(card->ctx, "Updating fingerprint blob 00C5."); fpseq_blob = pgp_find_blob(card, 0x00C5); - if (fpseq_blob == NULL) - LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_OUT_OF_MEMORY, "Cannot find blob 00C5"); + if (fpseq_blob == NULL) { + r = SC_ERROR_OUT_OF_MEMORY; + LOG_TEST_GOTO_ERR(card->ctx, r, "Cannot find blob 00C5"); + } + if (20 * key_info->key_id > fpseq_blob->len) { + r = SC_ERROR_OBJECT_NOT_VALID; + LOG_TEST_GOTO_ERR(card->ctx, r, "The 00C5 blob is not large enough"); + } /* save the fingerprints sequence */ newdata = malloc(fpseq_blob->len); - if (newdata == NULL) - LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_OUT_OF_MEMORY, - "Not enough memory to update fingerprint blob 00C5"); + if (newdata == NULL) { + r = SC_ERROR_OUT_OF_MEMORY; + LOG_TEST_GOTO_ERR(card->ctx, r, "Not enough memory to update fingerprint blob 00C5"); + } memcpy(newdata, fpseq_blob->data, fpseq_blob->len); /* move p to the portion holding the fingerprint of the current key */ -- 2.34.1