From 0feace3eb59bf10cfbb9657b2323f6dc0e82d748 Mon Sep 17 00:00:00 2001 From: Michael R Sweet Date: Sat, 10 Jan 2026 14:44:47 -0500 Subject: [PATCH] Fix AES-256 key initialization. --- CHANGES.md | 1 + pdfio-aes.c | 4 ++-- pdfio-private.h | 4 ++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 79a4cf8..f4846a7 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -6,6 +6,7 @@ v1.7.0 - YYYY-MM-DD ------------------- - Now use TTF 1.1 or later for font support. +- Fixed a buffer overflow in the (still not enabled) AES-256 code. v1.6.2 - YYYY-MM-DD diff --git a/pdfio-aes.c b/pdfio-aes.c index 72f77ef..9f2ab4b 100644 --- a/pdfio-aes.c +++ b/pdfio-aes.c @@ -1,7 +1,7 @@ // // AES functions for PDFio. // -// Copyright © 2021-2025 by Michael R Sweet. +// Copyright © 2021-2026 by Michael R Sweet. // // Licensed under Apache License v2.0. See the file "LICENSE" for more // information. @@ -117,7 +117,7 @@ _pdfioCryptoAESInit( memcpy(ctx->round_key, key, keylen); // All other round keys are found from the previous round keys. - for (rkptr0 = ctx->round_key, rkptr = rkptr0 + keylen, rkend = rkptr + 16 * ctx->round_size, i = nwords; rkptr < rkend; i ++) + for (rkptr0 = ctx->round_key, rkptr = rkptr0 + keylen, rkend = rkptr0 + 16 * ctx->round_size + 16, i = nwords; rkptr < rkend; i ++) { if ((i % nwords) == 0) { diff --git a/pdfio-private.h b/pdfio-private.h index e4d8f89..b84a8ac 100644 --- a/pdfio-private.h +++ b/pdfio-private.h @@ -1,7 +1,7 @@ // // Private header file for PDFio. // -// Copyright © 2021-2025 by Michael R Sweet. +// Copyright © 2021-2026 by Michael R Sweet. // // Licensed under Apache License v2.0. See the file "LICENSE" for more // information. @@ -176,7 +176,7 @@ typedef struct _pdfio_value_s // Value structure typedef struct _pdfio_aes_s // AES encryption state { size_t round_size; // Size of round key - uint8_t round_key[240], // Round key + uint8_t round_key[256], // Round key iv[16]; // Initialization vector } _pdfio_aes_t;