X-Git-Url: https://git.distorted.org.uk/u/mdw/putty/blobdiff_plain/6e3c47cb9cf52992ff76e7e9795ea37fe6a884db..HEAD:/sshpubk.c

diff --git a/sshpubk.c b/sshpubk.c
index 76aa3436..ac9e0fa7 100644
--- a/sshpubk.c
+++ b/sshpubk.c
@@ -67,14 +67,15 @@ static int loadrsakey_main(FILE * fp, struct RSAKey *key, int pub_only,
     i += 4;
 
     /* Now the serious stuff. An ordinary SSH-1 public key. */
-    i += makekey(buf + i, len, key, NULL, 1);
-    if (i < 0)
+    j = makekey(buf + i, len, key, NULL, 1);
+    if (j < 0)
 	goto end;		       /* overran */
+    i += j;
 
     /* Next, the comment field. */
-    j = GET_32BIT(buf + i);
+    j = toint(GET_32BIT(buf + i));
     i += 4;
-    if (len - i < j)
+    if (j < 0 || len - i < j)
 	goto end;
     comment = snewn(j + 1, char);
     if (comment) {
@@ -257,8 +258,8 @@ int rsakey_pubblob(const Filename *filename, void **blob, int *bloblen,
 	    *blob = rsa_public_blob(&key, bloblen);
 	    freersakey(&key);
 	    ret = 1;
-	    fp = NULL;
 	}
+	fp = NULL; /* loadrsakey_main unconditionally closes fp */
     } else {
 	error = "not an SSH-1 RSA file";
     }
@@ -462,7 +463,7 @@ static int read_header(FILE * fp, char *header)
     int len = 39;
     int c;
 
-    while (len > 0) {
+    while (1) {
 	c = fgetc(fp);
 	if (c == '\n' || c == '\r' || c == EOF)
 	    return 0;		       /* failure */
@@ -679,7 +680,6 @@ struct ssh2_userkey *ssh2_load_userkey(const Filename *filename,
 	cipher = 0;
 	cipherblk = 1;
     } else {
-	sfree(encryption);
 	goto error;
     }
 
@@ -1008,6 +1008,8 @@ int ssh2_userkey_encrypted(const Filename *filename, char **commentptr)
 
     if (commentptr)
 	*commentptr = comment;
+    else
+        sfree(comment);
 
     fclose(fp);
     if (!strcmp(b, "aes256-cbc"))