From 64e98397104f3fff759c27eb40092085e287755e Mon Sep 17 00:00:00 2001
From: m-holger <m.holger@qpdf.org>
Date: Fri, 8 Nov 2024 12:44:36 +0000
Subject: [PATCH] Validate key length in Pl_AES_PDF constructor

---
 fuzz/CMakeLists.txt            |   1 +
 fuzz/qpdf_extra/377977949.fuzz | Bin 0 -> 1041 bytes
 fuzz/qtest/fuzz.test           |   2 +-
 libqpdf/Pl_AES_PDF.cc          |   3 +++
 4 files changed, 5 insertions(+), 1 deletion(-)
 create mode 100644 fuzz/qpdf_extra/377977949.fuzz

diff --git a/fuzz/CMakeLists.txt b/fuzz/CMakeLists.txt
index daacf030..6b3cccf8 100644
--- a/fuzz/CMakeLists.txt
+++ b/fuzz/CMakeLists.txt
@@ -149,6 +149,7 @@ set(CORPUS_OTHER
   99999e.fuzz
   369662293.fuzz
   369662293a.fuzz
+  377977949.fuzz
 )
 
 set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus)
diff --git a/fuzz/qpdf_extra/377977949.fuzz b/fuzz/qpdf_extra/377977949.fuzz
new file mode 100644
index 0000000000000000000000000000000000000000..bb35598490f9d847ba22d847871044e7c03602a7
GIT binary patch
literal 1041
zcmbVLO>Yx15KRwU_RJ5M0}-dPw%4ChRMa+!gaEZ_+FnWz{+Mlp(%ouzi&B0Le}p4H
zi5q2{6nX=J*RtgGyyuxW&*S6ie3!p6#rW&@FQc9I#gBpmgEo9DCKGr)TMyXu%eLvi
z0qx8E>C68Z2eZ+K41aidc#h}T5h3jD<yjv4E9^ngl_yZ1-rpjWhkl@M)m~9RflX>C
zmmKhzQ+e3lH3M)c-!4-R7f@}$m%rd!#w|2M^6?Y2p?ZcM<o3e%n3n#aUBk0Ka5!;U
zJkjajbmeS52eT!bFINM0P%Z}FB;O?{-(hn#T!T;=$|INvr)$nD6CC%33qRV9q$O5W
zblOH9P#VQdGA1UkHPg{B<+TeDjWAqQNogCnOF~8E6DM4%m^DsO6yvoO3LQy$G=qt9
zLGoZ+FgA#of(yw=Zxb@qjyvys6izDV8Bt1ae63?Gf}kVRO2ph5*p;+mchke9W}3-L
zdFzc4luXoI=*YE6F`+~gxRxvt>IA6X#c(svEA{&yM>^a9J6cCOr>n)V`Edpl6KyUz
zNiHLm&!x};gLYQQ#3UCLic0c|^hw%9@2m*1a;&1PjP)u{#&y&}$q*%rGPo!rG1%mj
z5sXqlBi%%FCX%|Q_N1$2%y>@pK2pilzRCxZfy>%N7MQLXBGUnR)*vBAB${(jkH*ce
z%l_E9uPFELhU?iU@*kAbmN5nm6hr5iD{@YLTqkXteZ6@Ki{)no2j!b7TukbiQdP4$
zkj{=-6*RAt4J<|Gv@>e&?-BGoW=-twZwG2nzJVOw5561L9o7YvW{dH7b~G=30-N1C
A9smFU

literal 0
HcmV?d00001

diff --git a/fuzz/qtest/fuzz.test b/fuzz/qtest/fuzz.test
index 6448d5f0..efffdc67 100644
--- a/fuzz/qtest/fuzz.test
+++ b/fuzz/qtest/fuzz.test
@@ -11,7 +11,7 @@ my $td = new TestDriver('fuzz');
 
 my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS";
 
-my $n_qpdf_files = 86;       # increment when adding new files
+my $n_qpdf_files = 87;       # increment when adding new files
 
 my @fuzzers = (
     ['ascii85' => 1],
diff --git a/libqpdf/Pl_AES_PDF.cc b/libqpdf/Pl_AES_PDF.cc
index d621bdd8..8b3982ba 100644
--- a/libqpdf/Pl_AES_PDF.cc
+++ b/libqpdf/Pl_AES_PDF.cc
@@ -23,6 +23,9 @@ Pl_AES_PDF::Pl_AES_PDF(
     if (!next) {
         throw std::logic_error("Attempt to create Pl_AES_PDF with nullptr as next");
     }
+    if (!(key_bytes == 32 || key_bytes == 16)) {
+        throw std::runtime_error("unsupported key length");
+    }
     this->key = std::make_unique<unsigned char[]>(key_bytes);
     std::memcpy(this->key.get(), key, key_bytes);
     std::memset(this->inbuf, 0, this->buf_size);