Range check encrypted string length (Issue #52)

CHANGES.md

@@ -2,6 +2,12 @@ Changes in PDFio
 ================
 
 
+v1.1.4 (Month DD, YYYY)
+-----------------------
+
+- Fixed detection of encrypted strings that are too short (Issue #52)
+
+
 v1.1.3 (November 15, 2023)
 --------------------------
 

pdfio-crypto.c

@@ -449,8 +449,15 @@ _pdfio_crypto_cb_t			// O  - Decryption callback or `NULL` for none
 	*ivlen = 0;
 	return ((_pdfio_crypto_cb_t)_pdfioCryptoRC4Crypt);
 
-    case PDFIO_ENCRYPTION_RC4_128 :
     case PDFIO_ENCRYPTION_AES_128 :
+        if (*ivlen < 16)
+        {
+          *ivlen = 0;
+          _pdfioFileError(pdf, "Value too short for AES encryption.");
+          return (NULL);
+        }
+
+    case PDFIO_ENCRYPTION_RC4_128 :
 	// Copy the key data for the MD5 hash.
 	memcpy(data, pdf->file_key, sizeof(pdf->file_key));
 	data[16] = (uint8_t)obj->number;

pdfio-value.c

@@ -383,7 +383,10 @@ _pdfioValueRead(pdfio_file_t   *pdf,	// I - PDF file
 	return (false);
       }
 
-      cb      = _pdfioCryptoMakeReader(pdf, obj, &ctx, v->value.binary.data, &ivlen);
+      ivlen = v->value.binary.datalen;
+      if ((cb = _pdfioCryptoMakeReader(pdf, obj, &ctx, v->value.binary.data, &ivlen)) == NULL)
+	return (false);
+
       templen = (cb)(&ctx, temp, v->value.binary.data + ivlen, v->value.binary.datalen - ivlen);
 
       // Copy the decrypted string back to the value and adjust the length...