Range check encrypted string length (Issue #52)

2024-11-08 06:28:27 +01:00 · 2023-11-18 18:22:11 -05:00 · 2023-11-18 18:22:11 -05:00 · 0258384d53
commit 0258384d53
parent 9fec2195d0
3 changed files with 18 additions and 2 deletions
--- a/CHANGES.md
+++ b/CHANGES.md
@ -2,6 +2,12 @@ Changes in PDFio
 ================


+v1.1.4 (Month DD, YYYY)
+-----------------------
+
+- Fixed detection of encrypted strings that are too short (Issue #52)
+
+
 v1.1.3 (November 15, 2023)
 --------------------------

--- a/pdfio-crypto.c
+++ b/pdfio-crypto.c
@ -449,8 +449,15 @@ _pdfio_crypto_cb_t			// O  - Decryption callback or `NULL` for none
 	*ivlen = 0;
 	return ((_pdfio_crypto_cb_t)_pdfioCryptoRC4Crypt);

-    case PDFIO_ENCRYPTION_RC4_128 :
    case PDFIO_ENCRYPTION_AES_128 :
+        if (*ivlen < 16)
+        {
+          *ivlen = 0;
+          _pdfioFileError(pdf, "Value too short for AES encryption.");
+          return (NULL);
+        }
+
+    case PDFIO_ENCRYPTION_RC4_128 :
 	// Copy the key data for the MD5 hash.
 	memcpy(data, pdf->file_key, sizeof(pdf->file_key));
 	data[16] = (uint8_t)obj->number;
--- a/pdfio-value.c
+++ b/pdfio-value.c
@ -383,7 +383,10 @@ _pdfioValueRead(pdfio_file_t   *pdf,	// I - PDF file
 	return (false);
      }

-      cb      = _pdfioCryptoMakeReader(pdf, obj, &ctx, v->value.binary.data, &ivlen);
+      ivlen = v->value.binary.datalen;
+      if ((cb = _pdfioCryptoMakeReader(pdf, obj, &ctx, v->value.binary.data, &ivlen)) == NULL)
+	return (false);
+
      templen = (cb)(&ctx, temp, v->value.binary.data + ivlen, v->value.binary.datalen - ivlen);

      // Copy the decrypted string back to the value and adjust the length...