From c5ed1b8075f412b2e9cfd9cf01f41ba04d3af2bc Mon Sep 17 00:00:00 2001
From: Jay Berkenbilt <ejb@ql.org>
Date: Sat, 22 Jun 2019 20:45:10 -0400
Subject: Handle invalid encryption Length (fixes #333)

---
 libqpdf/QPDF_encryption.cc | 42 +++++++++++++++++++++++++++++-------------
 1 file changed, 29 insertions(+), 13 deletions(-)

(limited to 'libqpdf/QPDF_encryption.cc')

diff --git a/libqpdf/QPDF_encryption.cc b/libqpdf/QPDF_encryption.cc
index b5f16e0c..b15cb29d 100644
--- a/libqpdf/QPDF_encryption.cc
+++ b/libqpdf/QPDF_encryption.cc
@@ -935,22 +935,38 @@ QPDF::initializeEncryption()
         pad_short_parameter(Perms, Perms_key_bytes_V5);
     }
 
-    int Length = 40;
-    if (encryption_dict.getKey("/Length").isInteger())
+    int Length = 0;
+    if (V <= 1)
     {
-	Length = encryption_dict.getKey("/Length").getIntValueAsInt();
-        if (R < 3)
+        Length = 40;
+    }
+    else if (V == 4)
+    {
+        Length = 128;
+    }
+    else if (V == 5)
+    {
+        Length = 256;
+    }
+    else
+    {
+        if (encryption_dict.getKey("/Length").isInteger())
+        {
+            Length = encryption_dict.getKey("/Length").getIntValueAsInt();
+            if ((Length % 8) || (Length < 40) || (Length > 128))
+            {
+                Length = 0;
+            }
+        }
+        if (Length == 0)
         {
-            // Force Length to 40 regardless of what the file says.
-            Length = 40;
+            Length = 128;
         }
-	if ((Length % 8) || (Length < 40) || (Length > 256))
-	{
-	    throw QPDFExc(qpdf_e_damaged_pdf, this->m->file->getName(),
-			  "encryption dictionary",
-                          this->m->file->getLastOffset(),
-			  "invalid /Length value in encryption dictionary");
-	}
+    }
+    if (Length == 0)
+    {
+        // Still no Length? Just take a guess.
+        Length = 128;
     }
 
     this->m->encp->encrypt_metadata = true;
-- 
cgit v1.2.3-54-g00ecf