openpgp: Avoid buffer overflow when writing fingerprint

Thanks oss-fuzz https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=70933 Signed-off-by: Jakub Jelen <[email protected]>
Jakuje · Aug 15, 2024 · 2a30c86 · 2a30c86
1 parent 78bbb1b
commit 2a30c86
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/src/libopensc/card-openpgp.c b/src/libopensc/card-openpgp.c
@@ -2781,8 +2781,12 @@ pgp_calculate_and_store_fingerprint(sc_card_t *card, time_t ctime,
 	/* update the blob containing fingerprints (00C5) */
 	sc_log(card->ctx, "Updating fingerprint blob 00C5.");
 	fpseq_blob = pgp_find_blob(card, 0x00C5);
-	if (fpseq_blob == NULL)
+	if (fpseq_blob == NULL) {
 		LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_OUT_OF_MEMORY, "Cannot find blob 00C5");
+	}
+	if (20 * key_info->key_id > fpseq_blob->len) {
+		LOG_TEST_GOTO_ERR(card->ctx, SC_ERROR_OBJECT_NOT_VALID, "The 00C5 blob is not large enough");
+	}
 
 	/* save the fingerprints sequence */
 	newdata = malloc(fpseq_blob->len);