From 0258384d534052080ab0db0f6f029b8c2993ce9a Mon Sep 17 00:00:00 2001 From: Michael R Sweet Date: Sat, 18 Nov 2023 18:22:11 -0500 Subject: [PATCH] Range check encrypted string length (Issue #52) --- CHANGES.md | 6 ++++++ pdfio-crypto.c | 9 ++++++++- pdfio-value.c | 5 ++++- 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 939494e..72e768a 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -2,6 +2,12 @@ Changes in PDFio ================ +v1.1.4 (Month DD, YYYY) +----------------------- + +- Fixed detection of encrypted strings that are too short (Issue #52) + + v1.1.3 (November 15, 2023) -------------------------- diff --git a/pdfio-crypto.c b/pdfio-crypto.c index 6d02f58..fa90ed8 100644 --- a/pdfio-crypto.c +++ b/pdfio-crypto.c @@ -449,8 +449,15 @@ _pdfio_crypto_cb_t // O - Decryption callback or `NULL` for none *ivlen = 0; return ((_pdfio_crypto_cb_t)_pdfioCryptoRC4Crypt); - case PDFIO_ENCRYPTION_RC4_128 : case PDFIO_ENCRYPTION_AES_128 : + if (*ivlen < 16) + { + *ivlen = 0; + _pdfioFileError(pdf, "Value too short for AES encryption."); + return (NULL); + } + + case PDFIO_ENCRYPTION_RC4_128 : // Copy the key data for the MD5 hash. memcpy(data, pdf->file_key, sizeof(pdf->file_key)); data[16] = (uint8_t)obj->number; diff --git a/pdfio-value.c b/pdfio-value.c index 1007465..94af151 100644 --- a/pdfio-value.c +++ b/pdfio-value.c @@ -383,7 +383,10 @@ _pdfioValueRead(pdfio_file_t *pdf, // I - PDF file return (false); } - cb = _pdfioCryptoMakeReader(pdf, obj, &ctx, v->value.binary.data, &ivlen); + ivlen = v->value.binary.datalen; + if ((cb = _pdfioCryptoMakeReader(pdf, obj, &ctx, v->value.binary.data, &ivlen)) == NULL) + return (false); + templen = (cb)(&ctx, temp, v->value.binary.data + ivlen, v->value.binary.datalen - ivlen); // Copy the decrypted string back to the value and adjust the length...