Enforce the max packet length for OpenPGP subpackets as well

This addresses:
  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=392

Signed-off-by: Alex Gaynor <alex.gaynor@gmail.com>

3 files changed, 9 insertions, 3 deletions

diff --git a/lib/opencdk/read-packet.c b/lib/opencdk/read-packet.c
index e7a1ceaac8..f86659a023 100644
--- a/lib/opencdk/read-packet.c
+++ b/lib/opencdk/read-packet.c
@@ -570,6 +570,9 @@ read_user_id(cdk_stream_t inp, size_t pktlen, cdk_pkt_userid_t user_id)
 }
 
 
+#define MAX_PACKET_LEN (1<<24)
+
+
 static cdk_error_t
 read_subpkt(cdk_stream_t inp, cdk_subpkt_t * r_ctx, size_t * r_nbytes)
 {
@@ -609,6 +612,10 @@ read_subpkt(cdk_stream_t inp, cdk_subpkt_t * r_ctx, size_t * r_nbytes)
 	else
 		return CDK_Inv_Packet;
 
+	if (size >= MAX_PACKET_LEN) {
+		return CDK_Inv_Packet;
+	}
+
 	node = cdk_subpkt_new(size);
 	if (!node)
 		return CDK_Out_Of_Core;
@@ -951,8 +958,6 @@ static cdk_error_t skip_packet(cdk_stream_t inp, size_t pktlen)
 	return 0;
 }
 
-#define MAX_PACKET_LEN (1<<24)
-
 /**
  * cdk_pkt_read:
  * @inp: the input stream
diff --git a/tests/cert-tests/data/openpgp-invalid9.pub b/tests/cert-tests/data/openpgp-invalid9.pub
new file mode 100644
index 0000000000..5fbab2a0b5
--- /dev/null
+++ b/tests/cert-tests/data/openpgp-invalid9.pub
diff --git a/tests/cert-tests/openpgp-cert-parser b/tests/cert-tests/openpgp-cert-parser
index 7f22271077..4ac5a6f946 100755
--- a/tests/cert-tests/openpgp-cert-parser
+++ b/tests/cert-tests/openpgp-cert-parser
@@ -42,7 +42,8 @@ echo "Checking OpenPGP certificate parsing"
 
 for i in "truncated.pub" "attribute-leak-1.pub" "subpkt-leak.pub" "openpgp-invalid1.pub" \
 	"openpgp-invalid2.pub" "openpgp-invalid3.pub" "openpgp-invalid4.pub" "openpgp-invalid5.pub" \
-	"openpgp-invalid6.pub" "openpgp-invalid7.pub" "openpgp-invalid8.pub";do
+	"openpgp-invalid6.pub" "openpgp-invalid7.pub" "openpgp-invalid8.pub" \
+	"openpgp-invalid9.pub";do
 	${VALGRIND} "${CERTTOOL}" --inraw --pgp-certificate-info --infile "${srcdir}/data/${i}"
 	rc=$?
 	if test $rc != 1;then