From 11b7e4139e82fcd0cee72f38964444a17c812547 Mon Sep 17 00:00:00 2001 From: Werner Koch Date: Mon, 26 Jan 2026 11:56:47 +0100 Subject: [PATCH] gpg: Fix possible NULL-deref with overlong signature packets. * g10/parse-packet.c (parse_signature): Retrun an error for overlong subpacket area -- GnuPG-bug-id: 8049 Updates-commit: 36dbca3e6944d13e75e96eace634e58a7d7e201d Co-authored-by: NIIBE Yutaka Resported-by: OpenAI Security Research A way to generate too long signature packets is: $ echo hallo | gpg -z0 -s -o x30001.sig \ -N foo@gnupg.org="$(awk 'BEGIN{for(i=0;i<29917;i++){printf"a"}}')" This is just one byte too long. diff --git a/g10/parse-packet.c b/g10/parse-packet.c index 22db04291..d7311e434 100644 --- a/g10/parse-packet.c +++ b/g10/parse-packet.c @@ -2212,6 +2212,10 @@ parse_revkeys (PKT_signature * sig) } +/* Note that the function returns -1 to indicate an EOF (which also + * indicates a broken packet in this case. In most other cases + * GPG_ERR_INV_PACKET is returned and callers of parse_packet will + * usually skipt this packet then. */ int parse_signature (IOBUF inp, int pkttype, unsigned long pktlen, PKT_signature * sig) @@ -2287,6 +2291,7 @@ parse_signature (IOBUF inp, int pkttype, unsigned long pktlen, if (list_mode) es_fprintf (listfp, ":signature packet: [hashed data too long (%u)]\n", n); + rc = GPG_ERR_INV_PACKET; goto leave; } if (n) @@ -2318,6 +2323,7 @@ parse_signature (IOBUF inp, int pkttype, unsigned long pktlen, es_fprintf (listfp, ":signature packet: [unhashed data too long (%u)]\n", n); + rc = GPG_ERR_INV_PACKET; goto leave; } if (n) -- 2.52.0