From c7dcd1bfdf179cdba9d47c10a07301c0735a2216 Mon Sep 17 00:00:00 2001
From: "Brian C. Lane" <bcl@redhat.com>
Date: Tue, 19 Jul 2022 13:37:23 -0700
Subject: [PATCH] g10/status.c: Backport fix for status buffer overrun
This is a backport of upstream commit 34c649b3601383cd11dbc76221747ec16fd68e1b
Depending on the escaping and line wrapping the computed remaining
buffer length could be wrong. Fixed by always using a break to
terminate the escape detection loop. Might have happened for all
status lines which may wrap.
GnuPG-bug-id: T6027
Also see:
https://marc.info/?l=oss-security&m=165657063921408&w=2
Signed-off-by: Brian C. Lane <bcl@redhat.com>
---
g10/status.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/g10/status.c b/g10/status.c
index 5c43b277a..d1f6b4c48 100644
--- a/g10/status.c
+++ b/g10/status.c
@@ -305,17 +305,14 @@ write_status_text_and_buffer ( int no, const char *string,
}
first = 0;
}
- for (esc=0, s=buffer, n=len; n && !esc; s++, n-- ) {
+ for (esc=0, s=buffer, n=len; n; s++, n-- ) {
if ( *s == '%' || *(const byte*)s <= lower_limit
|| *(const byte*)s == 127 )
esc = 1;
- if ( wrap && ++count > wrap ) {
+ if ( wrap && ++count > wrap )
dowrap=1;
+ if (esc || dowrap)
break;
- }
- }
- if (esc) {
- s--; n++;
}
if (s != buffer)
fwrite (buffer, s-buffer, 1, statusfp );
--
2.35.3