diff options
author | Tor Andersson <tor.andersson@artifex.com> | 2011-04-22 16:43:57 +0200 |
---|---|---|
committer | Tor Andersson <tor.andersson@artifex.com> | 2011-04-25 15:35:40 +0200 |
commit | a45ae4ceb7bd8cbcd2f6d2ed608e8451f6b9dd9a (patch) | |
tree | 6376618198f66d58d45e7baf159c05cb12b9b8f0 | |
parent | ba7b188c4fd2825d59e90f01a2d8e66fdd1a8cd5 (diff) | |
download | mupdf-a45ae4ceb7bd8cbcd2f6d2ed608e8451f6b9dd9a.tar.xz |
Check AES encrypted string length and padding values.
-rw-r--r-- | pdf/pdf_crypt.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/pdf/pdf_crypt.c b/pdf/pdf_crypt.c index e1243d24..f05b7366 100644 --- a/pdf/pdf_crypt.c +++ b/pdf/pdf_crypt.c @@ -721,7 +721,9 @@ pdf_crypt_obj_imp(pdf_crypt *crypt, fz_obj *obj, unsigned char *key, int keylen) if (crypt->strf.method == PDF_CRYPT_AESV2 || crypt->strf.method == PDF_CRYPT_AESV3) { - if (n >= 32) + if (n & 15 || n < 32) + fz_warn("invalid string length for aes encryption"); + else { unsigned char iv[16]; fz_aes aes; @@ -729,7 +731,10 @@ pdf_crypt_obj_imp(pdf_crypt *crypt, fz_obj *obj, unsigned char *key, int keylen) aes_setkey_dec(&aes, key, keylen * 8); aes_crypt_cbc(&aes, AES_DECRYPT, n - 16, iv, s + 16, s); /* delete space used for iv and padding bytes at end */ - fz_set_str_len(obj, n - 16 - s[n - 17]); + if (s[n - 17] < 1 || s[n - 17] > 16) + fz_warn("aes padding out of range"); + else + fz_set_str_len(obj, n - 16 - s[n - 17]); } } } |