File gnupg-CVE-2025-68973.patch of Package gpg2.42184

From 1e929abd20fa2e4be3797a137caca63a971d5372 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Thu, 23 Oct 2025 11:36:04 +0200
Subject: [PATCH] gpg: Fix possible memory corruption in the armor parser.

* g10/armor.c (armor_filter): Fix faulty double increment.

--

This fixes a bug in a code path which can only be reached with special
crafted input data and would then error out at an upper layer due to
corrupt input (every second byte in the buffer is unitialized
garbage).  No fuzzing has yet hit this case and we don't have a test
case for this code path.  However memory corruption can never be
tolerated as it always has the protential for remode code execution.

Reported-by: 49016 and Liam (two-heart)
Fixes-commit: c27c7416d5148865a513e007fb6f0a34993a6073
which fixed
Fixes-commit: 7d0efec7cf5ae110c99511abc32587ff0c45b14f

Backported-from-master: 115d138ba599328005c5321c0ef9f00355838ca9

The bug was introduced on 1999-01-07 by me:
* armor.c: Rewrote large parts.
which I fixed on 1999-03-02 but missed to fix the other case:
* armor.c (armor_filter): Fixed armor bypassing.
---
 g10/armor.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/g10/armor.c b/g10/armor.c
index 8fcb74ac5..5595089b7 100644
--- a/g10/armor.c
+++ b/g10/armor.c
@@ -1027,8 +1027,8 @@ armor_filter( void *opaque, int control,
 	n = 0;
 	if( afx->buffer_len ) {
             /* Copy the data from AFX->BUFFER to BUF.  */
-	    for(; n < size && afx->buffer_pos < afx->buffer_len; n++ )
-		buf[n++] = afx->buffer[afx->buffer_pos++];
+            for(; n < size && afx->buffer_pos < afx->buffer_len;)
+                buf[n++] = afx->buffer[afx->buffer_pos++];
 	    if( afx->buffer_pos >= afx->buffer_len )
 		afx->buffer_len = 0;
 	}