From cab00c3bfcc88e7321fb9670956758cdee50f49c Mon Sep 17 00:00:00 2001
From: Xi Wang <xi.wang@gmail.com>
Date: Fri, 25 Nov 2011 23:01:18 -0500
Subject: [PATCH] pki: Fix integer overflow in ssh_pki_import_privkey_file().

If the file size is ULONG_MAX, the call to malloc() may allocate a
small buffer, leading to a memory corruption.
---
 src/pki.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/pki.c b/src/pki.c
index 9f677b02..977f4bc1 100644
--- a/src/pki.c
+++ b/src/pki.c
@@ -457,6 +457,7 @@ int ssh_pki_import_privkey_file(const char *filename,
                     filename, strerror(errno));
         return SSH_ERROR;
     }
+    key_buf[size] = 0;
 
     key = pki_private_key_from_base64(key_buf, passphrase, auth_fn, auth_data);
     SAFE_FREE(key_buf);
@@ -815,6 +816,10 @@ int ssh_pki_import_pubkey_file(const char *filename, ssh_key *pkey)
         return SSH_ERROR;
     }
 
+    if (sb.st_size + 1 < sb.st_size) {
+        return SSH_ERROR;
+    }
+
     file = fopen(filename, "r");
     if (file == NULL) {
         ssh_pki_log("Error opening %s: %s",