Commit aa6b7053 authored by Ian Goldberg's avatar Ian Goldberg

Fix memory leak in otrl_instag_read_FILEp if the tag file is malformed

Thanks to Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com> for the report.
Signed-off-by: 's avatarIan Goldberg <iang@cs.uwaterloo.ca>
Signed-off-by: 's avatarDavid Goulet <dgoulet@ev0ke.net>
parent 70d1df0d
......@@ -117,23 +117,35 @@ gcry_error_t otrl_instag_read_FILEp(OtrlUserState us, FILE *instf)
*pos = '\0';
pos++;
p->accountname = malloc(pos - prevpos);
if (!(p->accountname)) {
free(p);
return gcry_error(GPG_ERR_ENOMEM);
}
memmove(p->accountname, prevpos, pos - prevpos);
prevpos = pos;
pos = strchr(prevpos, '\t');
if (!pos) {
free(p->accountname);
free(p);
continue;
}
*pos = '\0';
pos++;
p->protocol = malloc(pos - prevpos);
if (!(p->protocol)) {
free(p->accountname);
free(p);
return gcry_error(GPG_ERR_ENOMEM);
}
memmove(p->protocol, prevpos, pos - prevpos);
prevpos = pos;
pos = strchr(prevpos, '\r');
if (!pos) pos = strchr(prevpos, '\n');
if (!pos) {
free(p->accountname);
free(p->protocol);
free(p);
continue;
}
......@@ -141,6 +153,8 @@ gcry_error_t otrl_instag_read_FILEp(OtrlUserState us, FILE *instf)
pos++;
/* hex str of length 8 */
if (strlen(prevpos) != 8) {
free(p->accountname);
free(p->protocol);
free(p);
continue;
}
......@@ -148,6 +162,8 @@ gcry_error_t otrl_instag_read_FILEp(OtrlUserState us, FILE *instf)
sscanf(prevpos, "%08x", &instag);
if (instag < OTRL_MIN_VALID_INSTAG) {
free(p->accountname);
free(p->protocol);
free(p);
continue;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment