From 375d30bcbbd07eb82144533fd4a30640af680e81 Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Tue, 30 Jan 2024 11:15:46 +0100 Subject: [PATCH] pgcrypto: Fix check for buffer size The code copying the PGP block into the temp buffer failed to account for the extra 2 bytes in the buffer which are needed for the prefix. If the block was oversized, subsequent checks of the prefix would have exceeded the buffer size. Since the block sizes are hardcoded in the list of supported ciphers it can be verified that there is no live bug here. Backpatch all the way for consistency though, as this bug is old. Author: Mikhail Gribkov Discussion: https://postgr.es/m/CAMEv5_uWvcMCMdRFDsJLz2Q8g16HEa9xWyfrkr+FYMMFJhawOw@mail.gmail.com Backpatch-through: v12 --- contrib/pgcrypto/pgp-decrypt.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/contrib/pgcrypto/pgp-decrypt.c b/contrib/pgcrypto/pgp-decrypt.c index 3ecbf9c0c25..f74c2f760bb 100644 --- a/contrib/pgcrypto/pgp-decrypt.c +++ b/contrib/pgcrypto/pgp-decrypt.c @@ -250,7 +250,8 @@ prefix_init(void **priv_p, void *arg, PullFilter *src) uint8 tmpbuf[PGP_MAX_BLOCK + 2]; len = pgp_get_cipher_block_size(ctx->cipher_algo); - if (len > sizeof(tmpbuf)) + /* Make sure we have space for prefix */ + if (len > PGP_MAX_BLOCK) return PXE_BUG; res = pullf_read_max(src, len + 2, &buf, tmpbuf);