diff options
| author | Robin Watts <robin.watts@artifex.com> | 2012-12-14 11:37:15 +0000 |
|---|---|---|
| committer | Robin Watts <robin.watts@artifex.com> | 2012-12-14 12:51:40 +0000 |
| commit | 25ee437eb784a8eb241b9463e79dad429b60e933 (patch) | |
| tree | bb0b66f88008e73b8b1f40f3ed36763d06a2b5f9 /fitz/crypt_aes.c | |
| parent | df835b0f23b4976b453d3bdd63c60804b2376c16 (diff) | |
| download | mupdf-25ee437eb784a8eb241b9463e79dad429b60e933.tar.xz | |
Bug 693503: Fix SEGV/memory problems in AES.
If an illegal keysize is passed into the AES crypt filter, we
currently exit without setting up the AES context. This causes
us to fail in all manner of ways later on.
We now return failure and callers throw an exception.
This appears to solve all the SEGVs and memory exceptions found in
crypt_aes by Mateusz "j00ru" Jurczyk and Gynvael Coldwind of the
Google Security Team using Address Sanitizer. Many thanks!
Diffstat (limited to 'fitz/crypt_aes.c')
| -rw-r--r-- | fitz/crypt_aes.c | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/fitz/crypt_aes.c b/fitz/crypt_aes.c index 4d8c4498..27db64fc 100644 --- a/fitz/crypt_aes.c +++ b/fitz/crypt_aes.c @@ -176,7 +176,7 @@ static void aes_gen_tables( void ) /* * AES key schedule (encryption) */ -void aes_setkey_enc( aes_context *ctx, const unsigned char *key, int keysize ) +int aes_setkey_enc( aes_context *ctx, const unsigned char *key, int keysize ) { int i; unsigned long *RK; @@ -194,7 +194,7 @@ void aes_setkey_enc( aes_context *ctx, const unsigned char *key, int keysize ) case 128: ctx->nr = 10; break; case 192: ctx->nr = 12; break; case 256: ctx->nr = 14; break; - default : return; + default : return 1; } #if defined(PADLOCK_ALIGN16) @@ -274,12 +274,13 @@ void aes_setkey_enc( aes_context *ctx, const unsigned char *key, int keysize ) break; } + return 0; } /* * AES key schedule (decryption) */ -void aes_setkey_dec( aes_context *ctx, const unsigned char *key, int keysize ) +int aes_setkey_dec(aes_context *ctx, const unsigned char *key, int keysize) { int i, j; aes_context cty; @@ -291,7 +292,7 @@ void aes_setkey_dec( aes_context *ctx, const unsigned char *key, int keysize ) case 128: ctx->nr = 10; break; case 192: ctx->nr = 12; break; case 256: ctx->nr = 14; break; - default : return; + default: return 1; } #if defined(PADLOCK_ALIGN16) @@ -300,7 +301,9 @@ void aes_setkey_dec( aes_context *ctx, const unsigned char *key, int keysize ) ctx->rk = RK = ctx->buf; #endif - aes_setkey_enc( &cty, key, keysize ); + i = aes_setkey_enc( &cty, key, keysize ); + if (i) + return i; SK = cty.rk + cty.nr * 4; *RK++ = *SK++; @@ -325,6 +328,7 @@ void aes_setkey_dec( aes_context *ctx, const unsigned char *key, int keysize ) *RK++ = *SK++; memset( &cty, 0, sizeof( aes_context ) ); + return 0; } #define AES_FROUND(X0,X1,X2,X3,Y0,Y1,Y2,Y3) \ |