diff options
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | libqpdf/QPDF_encryption.cc | 4 |
2 files changed, 8 insertions, 1 deletions
@@ -1,5 +1,10 @@ 2015-02-21 Jay Berkenbilt <ejb@ql.org> + * Prevent buffer overrun when converting a password to an + encryption key. Thanks to Gynvael Coldwind and Mateusz Jurczyk of + the Google Security Team for providing a sample file with this + problem. + * Ensure that arguments to "R" when parsing the file are direct objects before trying to resolve them. This prevents specially crafted files from causing qpdf to crash with a stack overflow. diff --git a/libqpdf/QPDF_encryption.cc b/libqpdf/QPDF_encryption.cc index 23284809..71c28d0e 100644 --- a/libqpdf/QPDF_encryption.cc +++ b/libqpdf/QPDF_encryption.cc @@ -428,7 +428,9 @@ QPDF::compute_encryption_key_from_password( } MD5::Digest digest; iterate_md5_digest(md5, digest, ((data.getR() >= 3) ? 50 : 0)); - return std::string(reinterpret_cast<char*>(digest), data.getLengthBytes()); + return std::string(reinterpret_cast<char*>(digest), + std::min(static_cast<int>(sizeof(digest)), + data.getLengthBytes())); } static void |