[PATCH] Fix memory corruption when importing malformed public keys.

[Artem Savkov <asavkov@xxxxxxxxxx>]

When importing malformed public key (e.g. one not ending with a white-space
character) it is possible for libssh to overwrite memory outside of a block
allocated for key_buf in ssh_pki_import_pubkey_file().

Signed-off-by: Jan Stancek <jstancek@xxxxxxxxxx>
Signed-off-by: Artem Savkov <asavkov@xxxxxxxxxx>
---
 src/pki.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/pki.c b/src/pki.c
index 39a7515..cfc5b23 100644
--- a/src/pki.c
+++ b/src/pki.c
@@ -1067,7 +1067,7 @@ int ssh_pki_import_pubkey_file(const char *filename, ssh_key *pkey)
     key_buf[size] = '\0';
 
     q = p = key_buf;
-    while (!isspace((int)*p)) p++;
+    while (*p && !isspace((int)*p)) p++;
     *p = '\0';
 
     type = ssh_key_type_from_name(q);
@@ -1075,9 +1075,13 @@ int ssh_pki_import_pubkey_file(const char *filename, ssh_key *pkey)
         SAFE_FREE(key_buf);
         return SSH_ERROR;
     }
-    q = ++p;
-    while (!isspace((int)*p)) p++;
-    *p = '\0';
+    if (p - key_buf < size) {
+        q = ++p;
+        while (*p && !isspace((int)*p)) p++;
+        *p = '\0';
+    } else {
+        q = p;
+    }
 
     rc = ssh_pki_import_pubkey_base64(q, type, pkey);
     SAFE_FREE(key_buf);
-- 
2.5.5