--- /dev/null
+From: Werner Koch <wk@gnupg.org>
+Date: Mon, 2 Jan 2017 13:29:18 +0100
+Subject: Replace use of variable-length-arrays.
+
+* common/t-iobuf.c (main): Replace variable-length-array.
+* g10/gpgcompose.c (mksubpkt_callback): Ditto.
+(encrypted): Ditto.
+* g10/t-stutter.c (log_hexdump): Ditto.
+(oracle_test): Ditto.
+* g10/tofu.c (get_policy): Ditto. Use "%zu" for size_t.
+* scd/app-openpgp.c (ecc_writekey): Replace variable-length-array.
+Check for zero length OID_LEN.
+
+Signed-off-by: Werner Koch <wk@gnupg.org>
+(cherry picked from commit 6b84ecbf312d98ac8cce9fe5facdc815bc742fa1)
+---
+ common/t-iobuf.c | 6 ++++--
+ g10/gpgcompose.c | 17 ++++++++++++-----
+ g10/t-stutter.c | 17 ++++++++++-------
+ g10/tofu.c | 6 +++---
+ scd/app-openpgp.c | 14 +++++++++++++-
+ 5 files changed, 42 insertions(+), 18 deletions(-)
+
+diff --git a/common/t-iobuf.c b/common/t-iobuf.c
+index 0e6f508a5..bdeab99a4 100644
+--- a/common/t-iobuf.c
++++ b/common/t-iobuf.c
+@@ -362,10 +362,12 @@ main (int argc, char *argv[])
+ {
+ iobuf_t iobuf;
+ int rc;
+- char *content = "0123456789";
++ char content[] = "0123456789";
+ int n;
+ int c;
+- char buffer[strlen (content)];
++ char buffer[10];
++
++ assert (sizeof buffer == sizeof content - 1);
+
+ iobuf = iobuf_temp_with_content (content, strlen (content));
+ assert (iobuf);
+diff --git a/g10/gpgcompose.c b/g10/gpgcompose.c
+index 512cb450a..fafbfd274 100644
+--- a/g10/gpgcompose.c
++++ b/g10/gpgcompose.c
+@@ -1654,13 +1654,17 @@ mksubpkt_callback (PKT_signature *sig, void *cookie)
+
+ if (si->reason_for_revocation)
+ {
+- int l = 1 + strlen (si->reason_for_revocation);
+- char buf[l];
++ int len = 1 + strlen (si->reason_for_revocation);
++ char *buf;
++
++ buf = xmalloc (len);
+
+ buf[0] = si->reason_for_revocation_code;
+- memcpy (&buf[1], si->reason_for_revocation, l - 1);
++ memcpy (&buf[1], si->reason_for_revocation, len - 1);
++
++ build_sig_subpkt (sig, SIGSUBPKT_REVOC_REASON, buf, len);
+
+- build_sig_subpkt (sig, SIGSUBPKT_REVOC_REASON, buf, l);
++ xfree (buf);
+ }
+
+ if (si->features)
+@@ -2540,10 +2544,13 @@ encrypted (const char *option, int argc, char *argv[], void *cookie)
+
+ if (do_debug)
+ {
+- char buf[2 * session_key.keylen + 1];
++ char *buf;
++
++ buf = xmalloc (2 * session_key.keylen + 1);
+ debug ("session key: algo: %d; keylen: %d; key: %s\n",
+ session_key.algo, session_key.keylen,
+ bin2hex (session_key.key, session_key.keylen, buf));
++ xfree (buf);
+ }
+
+ if (strcmp (option, "--encrypted-mdc") == 0)
+diff --git a/g10/t-stutter.c b/g10/t-stutter.c
+index a2e9666bf..359cdf622 100644
+--- a/g10/t-stutter.c
++++ b/g10/t-stutter.c
+@@ -68,8 +68,8 @@ log_hexdump (byte *buffer, int length)
+ {
+ int have = length > 16 ? 16 : length;
+ int i;
+- char formatted[2 * have + 1];
+- char text[have + 1];
++ char formatted[2 * 16 + 1];
++ char text[16 + 1];
+
+ fprintf (stderr, "%-8d ", written);
+ bin2hex (buffer, have, formatted);
+@@ -87,10 +87,12 @@ log_hexdump (byte *buffer, int length)
+ }
+
+ for (i = 0; i < have; i ++)
+- if (isprint (buffer[i]))
+- text[i] = buffer[i];
+- else
+- text[i] = '.';
++ {
++ if (isprint (buffer[i]))
++ text[i] = buffer[i];
++ else
++ text[i] = '.';
++ }
+ text[i] = 0;
+
+ fprintf (stderr, " ");
+@@ -347,8 +349,9 @@ oracle (int debug, byte *ciphertext, int len, byte **plaintextp, byte **cfbp)
+ static int
+ oracle_test (unsigned int d, int b, int debug)
+ {
+- byte probe[blocksize + 2];
++ byte probe[32 + 2];
+
++ log_assert (blocksize + 2 <= sizeof probe);
+ log_assert (d < 256 * 256);
+
+ if (b == 1)
+diff --git a/g10/tofu.c b/g10/tofu.c
+index 2bded9e8d..8d535fa6c 100644
+--- a/g10/tofu.c
++++ b/g10/tofu.c
+@@ -2457,16 +2457,16 @@ get_policy (tofu_dbs_t dbs, PKT_public_key *pk,
+ /* See if the key is signed by an ultimately trusted key. */
+ {
+ int fingerprint_raw_len = strlen (fingerprint) / 2;
+- char fingerprint_raw[fingerprint_raw_len];
++ char fingerprint_raw[20];
+ int len = 0;
+
+- if (fingerprint_raw_len != 20
++ if (fingerprint_raw_len != sizeof fingerprint_raw
+ || ((len = hex2bin (fingerprint,
+ fingerprint_raw, fingerprint_raw_len))
+ != strlen (fingerprint)))
+ {
+ if (DBG_TRUST)
+- log_debug ("TOFU: Bad fingerprint: %s (len: %zd, parsed: %d)\n",
++ log_debug ("TOFU: Bad fingerprint: %s (len: %zu, parsed: %d)\n",
+ fingerprint, strlen (fingerprint), len);
+ }
+ else
+diff --git a/scd/app-openpgp.c b/scd/app-openpgp.c
+index 5fa4fd294..4d8b1bc9e 100644
+--- a/scd/app-openpgp.c
++++ b/scd/app-openpgp.c
+@@ -3580,11 +3580,23 @@ ecc_writekey (app_t app, gpg_error_t (*pincb)(void*, const char *, char **),
+ {
+ if (app->app_local->extcap.algo_attr_change)
+ {
+- unsigned char keyattr[oid_len];
++ unsigned char *keyattr;
+
++ if (!oid_len)
++ {
++ err = gpg_error (GPG_ERR_INTERNAL);
++ goto leave;
++ }
++ keyattr = xtrymalloc (oid_len);
++ if (!keyattr)
++ {
++ err = gpg_error_from_syserror ();
++ goto leave;
++ }
+ keyattr[0] = algo;
+ memcpy (keyattr+1, oidbuf+1, oid_len-1);
+ err = change_keyattr (app, keyno, keyattr, oid_len, pincb, pincb_arg);
++ xfree (keyattr);
+ if (err)
+ goto leave;
+ }