diff options
author | Jay Berkenbilt <ejb@ql.org> | 2018-08-12 19:16:15 +0200 |
---|---|---|
committer | Jay Berkenbilt <ejb@ql.org> | 2018-08-12 19:16:17 +0200 |
commit | 932799baab58df23cc1899720fd4637c4360d195 (patch) | |
tree | 08e8129e28cec0378b4caa275e056aa8974f6113 | |
parent | b6e414b10b3ae7b28ad16da2027106ec59a99a0a (diff) | |
download | qpdf-932799baab58df23cc1899720fd4637c4360d195.tar.zst |
Fix memory access error
A previous fix introduced a potentially memory overrun under certain
rare conditions. The test suite now once again passes with address
sanitizer.
-rw-r--r-- | libqpdf/QPDF_encryption.cc | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/libqpdf/QPDF_encryption.cc b/libqpdf/QPDF_encryption.cc index 612a6204..b05e070b 100644 --- a/libqpdf/QPDF_encryption.cc +++ b/libqpdf/QPDF_encryption.cc @@ -437,11 +437,10 @@ QPDF::compute_encryption_key_from_password( md5.encodeDataIncrementally(bytes, 4); } MD5::Digest digest; - iterate_md5_digest(md5, digest, ((data.getR() >= 3) ? 50 : 0), - data.getLengthBytes()); - return std::string(reinterpret_cast<char*>(digest), - std::min(static_cast<int>(sizeof(digest)), - data.getLengthBytes())); + int key_len = std::min(static_cast<int>(sizeof(digest)), + data.getLengthBytes()); + iterate_md5_digest(md5, digest, ((data.getR() >= 3) ? 50 : 0), key_len); + return std::string(reinterpret_cast<char*>(digest), key_len); } static void @@ -464,8 +463,9 @@ compute_O_rc4_key(std::string const& user_password, md5.encodeDataIncrementally( pad_or_truncate_password_V4(password).c_str(), key_bytes); MD5::Digest digest; - iterate_md5_digest(md5, digest, ((data.getR() >= 3) ? 50 : 0), - data.getLengthBytes()); + int key_len = std::min(static_cast<int>(sizeof(digest)), + data.getLengthBytes()); + iterate_md5_digest(md5, digest, ((data.getR() >= 3) ? 50 : 0), key_len); memcpy(key, digest, OU_key_bytes_V4); } |