Avoid buffer overrun copying digest

Converting a password to an encryption key is supposed to copy up to a certain number of bytes from a digest. Make sure never to copy more than the size of the digest.
2015-02-21 17:30:45 -05:00 · 2015-02-21 17:30:45 -05:00 · 28a9df5119
parent c729e07d55
commit 28a9df5119
2 changed files with 8 additions and 1 deletions
--- a/5
+++ b/5
@ -1,5 +1,10 @@
 2015-02-21  Jay Berkenbilt  <ejb@ql.org>

+	* Prevent buffer overrun when converting a password to an
+	encryption key. Thanks to Gynvael Coldwind and Mateusz Jurczyk of
+	the Google Security Team for providing a sample file with this
+	problem.
+
 	* Ensure that arguments to "R" when parsing the file are direct
 	objects before trying to resolve them. This prevents specially
 	crafted files from causing qpdf to crash with a stack overflow.
--- a/libqpdf/QPDF_encryption.cc
+++ b/libqpdf/QPDF_encryption.cc
@ -428,7 +428,9 @@ QPDF::compute_encryption_key_from_password(
    }
    MD5::Digest digest;
    iterate_md5_digest(md5, digest, ((data.getR() >= 3) ? 50 : 0));
-    return std::string(reinterpret_cast<char*>(digest), data.getLengthBytes());
+    return std::string(reinterpret_cast<char*>(digest),
+                       std::min(static_cast<int>(sizeof(digest)),
+                                data.getLengthBytes()));
 }

 static void