octoleo/qpdf
2
1
Fork 0
mirror of https://github.com/qpdf/qpdf.git synced 2025-01-31 02:48:31 +00:00
Code Issues Releases Wiki Activity

Avoid buffer overrun copying digest

Browse Source 
Converting a password to an encryption key is supposed to copy up to a
certain number of bytes from a digest. Make sure never to copy more
than the size of the digest.
This commit is contained in:
Jay Berkenbilt 2015-02-21 17:30:45 -05:00
parent c729e07d55
commit 28a9df5119
2 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog
View File

@ -1,5 +1,10 @@
2015-02-21 Jay Berkenbilt <ejb@ql.org>
* Prevent buffer overrun when converting a password to an
encryption key. Thanks to Gynvael Coldwind and Mateusz Jurczyk of
the Google Security Team for providing a sample file with this
problem.
* Ensure that arguments to "R" when parsing the file are direct
objects before trying to resolve them. This prevents specially
crafted files from causing qpdf to crash with a stack overflow.

4
libqpdf/QPDF_encryption.cc
View File

@ -428,7 +428,9 @@ QPDF::compute_encryption_key_from_password(
}
MD5::Digest digest;
iterate_md5_digest(md5, digest, ((data.getR() >= 3) ? 50 : 0));
return std::string(reinterpret_cast<char*>(digest), data.getLengthBytes());
return std::string(reinterpret_cast<char*>(digest),
std::min(static_cast<int>(sizeof(digest)),
data.getLengthBytes()));
}
static void