From e73501f208625d48db2b111b571421d25a78838f Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Wed, 8 Mar 2017 14:52:38 -0500
Subject: Do not attempt to parse a 32-bit integer if a packet is not 4 bytes.

    This addresses:
      https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=737

Signed-off-by: Alex Gaynor <alex.gaynor@gmail.com>
---
 lib/opencdk/keydb.c                         |   2 +-
 tests/cert-tests/data/openpgp-invalid10.pub | Bin 0 -> 52 bytes
 tests/cert-tests/openpgp-cert-parser        |   2 +-
 3 files changed, 2 insertions(+), 2 deletions(-)
 create mode 100644 tests/cert-tests/data/openpgp-invalid10.pub

diff --git a/lib/opencdk/keydb.c b/lib/opencdk/keydb.c
index 6fc0b9ec43..f78d35f68f 100644
--- a/lib/opencdk/keydb.c
+++ b/lib/opencdk/keydb.c
@@ -1400,7 +1400,7 @@ keydb_parse_allsigs(cdk_kbnode_t knode, cdk_keydb_hd_t hd, int check)
 							    signature->
 							    hashed,
 							    CDK_SIGSUBPKT_KEY_EXPIRE);
-					if (s) {
+					if (s && s->size == 4) {
 						expiredate =
 						    _cdk_buftou32(s->d);
 						pk->expiredate =
diff --git a/tests/cert-tests/data/openpgp-invalid10.pub b/tests/cert-tests/data/openpgp-invalid10.pub
new file mode 100644
index 0000000000..f1cd353eb4
Binary files /dev/null and b/tests/cert-tests/data/openpgp-invalid10.pub differ
diff --git a/tests/cert-tests/openpgp-cert-parser b/tests/cert-tests/openpgp-cert-parser
index 4ac5a6f946..f17e160a0c 100755
--- a/tests/cert-tests/openpgp-cert-parser
+++ b/tests/cert-tests/openpgp-cert-parser
@@ -43,7 +43,7 @@ echo "Checking OpenPGP certificate parsing"
 for i in "truncated.pub" "attribute-leak-1.pub" "subpkt-leak.pub" "openpgp-invalid1.pub" \
 	"openpgp-invalid2.pub" "openpgp-invalid3.pub" "openpgp-invalid4.pub" "openpgp-invalid5.pub" \
 	"openpgp-invalid6.pub" "openpgp-invalid7.pub" "openpgp-invalid8.pub" \
-	"openpgp-invalid9.pub";do
+	"openpgp-invalid9.pub" "openpgp-invalid10";do
 	${VALGRIND} "${CERTTOOL}" --inraw --pgp-certificate-info --infile "${srcdir}/data/${i}"
 	rc=$?
 	if test $rc != 1;then
-- 
cgit v1.2.1