From 7dec871f82e205107a81281e3286f0aa9caa93b3 Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 4 Jan 2017 14:56:50 +0100
Subject: opencdk: cdk_pk_get_keyid: fix stack overflow

Issue found using oss-fuzz:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=340

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 lib/opencdk/pubkey.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/opencdk/pubkey.c b/lib/opencdk/pubkey.c
index 6e753bd256..da43129f9a 100644
--- a/lib/opencdk/pubkey.c
+++ b/lib/opencdk/pubkey.c
@@ -518,6 +518,7 @@ u32 cdk_pk_get_keyid(cdk_pubkey_t pk, u32 * keyid)
 {
 	u32 lowbits = 0;
 	byte buf[24];
+	int rc;
 
 	if (pk && (!pk->keyid[0] || !pk->keyid[1])) {
 		if (pk->version < 4 && is_RSA(pk->pubkey_algo)) {
@@ -525,7 +526,12 @@ u32 cdk_pk_get_keyid(cdk_pubkey_t pk, u32 * keyid)
 			size_t n;
 
 			n = MAX_MPI_BYTES;
-			_gnutls_mpi_print(pk->mpi[0], p, &n);
+			rc = _gnutls_mpi_print(pk->mpi[0], p, &n);
+			if (rc < 0 || n < 8) {
+				keyid[0] = keyid[1] = (u32)-1;
+				return (u32)-1;
+			}
+
 			pk->keyid[0] =
 			    p[n - 8] << 24 | p[n - 7] << 16 | p[n -
 								6] << 8 |
-- 
cgit v1.2.1