From 5e8f1f9c853eff2fe49cc7f1dadb285b3c337c18 Mon Sep 17 00:00:00 2001 From: John Hernandez <129467592+H3rnand3zzz@users.noreply.github.com> Date: Thu, 13 Apr 2023 10:14:54 +0200 Subject: [PATCH 1/2] Fix memory corruption crash Under certain circumstances setting plain_str[len] to 0 might lead to crash and it does not follow the best practices as well. This change allows better handling of buffer copying and prevents crash. --- src/pgp/gpg.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/pgp/gpg.c b/src/pgp/gpg.c index 8762660d..3ef69c1d 100644 --- a/src/pgp/gpg.c +++ b/src/pgp/gpg.c @@ -721,10 +721,9 @@ p_gpg_decrypt(const char* const cipher) char* plain_str = gpgme_data_release_and_get_mem(plain_data, &len); char* result = NULL; if (plain_str) { - plain_str[len] = 0; - result = g_strdup(plain_str); + result = strndup(plain_str, len); + gpgme_free(plain_str); } - gpgme_free(plain_str); if (passphrase_attempt) { passphrase = strdup(passphrase_attempt); From 899b26b3bce7bc7575be79df0cb9462c9e17623a Mon Sep 17 00:00:00 2001 From: John Hernandez <129467592+H3rnand3zzz@users.noreply.github.com> Date: Thu, 13 Apr 2023 15:26:19 +0200 Subject: [PATCH 2/2] Cleanup p_ox_gpg_decrypt In OX implementation gpgme's buffer remains untouched, thus not leading to the crash. But code can be shorter and more concise. --- src/pgp/ox.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/src/pgp/ox.c b/src/pgp/ox.c index 71fa6c8c..4d42a2a7 100644 --- a/src/pgp/ox.c +++ b/src/pgp/ox.c @@ -419,10 +419,12 @@ p_ox_gpg_decrypt(char* base64) size_t len; char* plain_str = gpgme_data_release_and_get_mem(plain, &len); - char* result = malloc(len + 1); - memcpy(result, plain_str, len); - result[len] = '\0'; - gpgme_free(plain_str); + char* result = NULL; + if (plain_str) { + result = strndup(plain_str, len); + gpgme_free(plain_str); + } + return result; }