cvs bug -- write/read beyond end of allocated area

[David Taylor]

Running the testsuite, cvs was aborting in test basica-o7.
If I ran the same command outside of the testsuite, it ran fine.

During my investigations, I ran it under valgrind and it found a problem
in gpg.c (parse_signature_subpacket) -- cvs is writing (and then
reading) past the end of the allocated area.  Visual inspection revealed
a 2nd, very similar, problem in the same function -- in both cases it
allocates room for 4 bytes and writes 5.  Oops.

Here's a patch (cvs diff -u) against the trunk.  After applying this
patch, valgrind no longer complains and basica-o7 passes rather than
abort.

Index: gpg.c
===================================================================
RCS file: /sources/cvs/ccvs/src/gpg.c,v
retrieving revision 1.4
diff -u -r1.4 gpg.c
--- gpg.c       24 May 2006 16:38:50 -0000      1.4
+++ gpg.c       30 Mar 2011 14:51:10 -0000
@@ -404,7 +404,7 @@
   size_t raw_idx = 0;
 
   /* Enough to store the subpacket length.  */
-  spout->raw = xmalloc (4);
+  spout->raw = xmalloc (5);
 
   if ((rc = read_u8 (bpin, &c)))
     return rc;
@@ -435,7 +435,7 @@
     error (1, 0, "Received zero length subpacket in OpenPGP signature.");
 
   /* Allocate enough bytes for the rest of the subpacket.  */
-  spout->raw = xrealloc (spout->raw, splen);
+  spout->raw = xrealloc (spout->raw, splen + 1);
 
   /* Read the subpacket type.  */
   if ((rc = read_u8 (bpin, &c)))

David