From 4b77426a1e6f4e8eed952f9a3647e1ebe74e59ef Mon Sep 17 00:00:00 2001
From: scjones <scjones@users.savannah.nongnu.org>
Date: Wed, 30 Mar 2011 19:50:19 +0000
Subject: [PATCH] * gpg.c (parse_signature_subpacket): Correct spout->raw
 memory allocation. (Reported by David Taylor <dtaylor@emc.com>.)

---
 src/ChangeLog | 6 ++++++
 src/gpg.c     | 6 +++---
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/ChangeLog b/src/ChangeLog
index a06c09837..09fae66d0 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,9 @@
+2011-03-30  Larry Jones  <lawrence.jones@siemens.com>
+
+	* gpg.c (parse_signature_subpacket): Correct spout->raw memory
+	allocation. 
+	(Reported by David Taylor <dtaylor@emc.com>.)
+
 2010-10-21  Larry Jones  <lawrence.jones@siemens.com>
 
 	* rcs.c (apply_rcs_changes): Correct deltatext position sanity
diff --git a/src/gpg.c b/src/gpg.c
index 6ae98f5e3..f70a705e1 100644
--- a/src/gpg.c
+++ b/src/gpg.c
@@ -403,8 +403,8 @@ parse_signature_subpacket (struct buffer *bpin,
   uint32_t splen;
   size_t raw_idx = 0;
 
-  /* Enough to store the subpacket length.  */
-  spout->raw = xmalloc (4);
+  /* Enough to store the subpacket header.  */
+  spout->raw = xmalloc (5);
 
   if ((rc = read_u8 (bpin, &c)))
     return rc;
@@ -435,7 +435,7 @@ parse_signature_subpacket (struct buffer *bpin,
     error (1, 0, "Received zero length subpacket in OpenPGP signature.");
 
   /* Allocate enough bytes for the rest of the subpacket.  */
-  spout->raw = xrealloc (spout->raw, splen);
+  spout->raw = xrealloc (spout->raw, raw_idx + splen);
 
   /* Read the subpacket type.  */
   if ((rc = read_u8 (bpin, &c)))
-- 
GitLab