diff options
| author | Jay Berkenbilt <ejb@ql.org> | 2015-02-21 23:30:45 +0100 |
|---|---|---|
| committer | Jay Berkenbilt <ejb@ql.org> | 2015-02-21 23:51:08 +0100 |
| commit | 28a9df5119af12d6d97edf4fa97f88ce23865096 (patch) | |
| tree | 194fbf3aebac4d2cd8250a581b6d7daca807c4b0 | |
| parent | c729e07d55c870e7e08f158f0a80a3d452c59cdc (diff) | |
| download | qpdf-28a9df5119af12d6d97edf4fa97f88ce23865096.tar.zst | |
Avoid buffer overrun copying digest
Converting a password to an encryption key is supposed to copy up to a
certain number of bytes from a digest. Make sure never to copy more
than the size of the digest.
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | libqpdf/QPDF_encryption.cc | 4 |
2 files changed, 8 insertions, 1 deletions
@@ -1,5 +1,10 @@ 2015-02-21 Jay Berkenbilt <ejb@ql.org> + * Prevent buffer overrun when converting a password to an + encryption key. Thanks to Gynvael Coldwind and Mateusz Jurczyk of + the Google Security Team for providing a sample file with this + problem. + * Ensure that arguments to "R" when parsing the file are direct objects before trying to resolve them. This prevents specially crafted files from causing qpdf to crash with a stack overflow. diff --git a/libqpdf/QPDF_encryption.cc b/libqpdf/QPDF_encryption.cc index 23284809..71c28d0e 100644 --- a/libqpdf/QPDF_encryption.cc +++ b/libqpdf/QPDF_encryption.cc @@ -428,7 +428,9 @@ QPDF::compute_encryption_key_from_password( } MD5::Digest digest; iterate_md5_digest(md5, digest, ((data.getR() >= 3) ? 50 : 0)); - return std::string(reinterpret_cast<char*>(digest), data.getLengthBytes()); + return std::string(reinterpret_cast<char*>(digest), + std::min(static_cast<int>(sizeof(digest)), + data.getLengthBytes())); } static void |