Check AES encrypted string length and padding values.

author: Tor Andersson <tor.andersson@artifex.com> 2011-04-22 16:43:57 +0200
committer: Tor Andersson <tor.andersson@artifex.com> 2011-04-25 15:35:40 +0200
commit: a45ae4ceb7bd8cbcd2f6d2ed608e8451f6b9dd9a (patch)
tree: 6376618198f66d58d45e7baf159c05cb12b9b8f0 /pdf/pdf_crypt.c
parent: ba7b188c4fd2825d59e90f01a2d8e66fdd1a8cd5 (diff)
download: mupdf-a45ae4ceb7bd8cbcd2f6d2ed608e8451f6b9dd9a.tar.xz
1 files changed, 7 insertions, 2 deletions
diff --git a/pdf/pdf_crypt.c b/pdf/pdf_crypt.c
index e1243d24..f05b7366 100644
--- a/pdf/pdf_crypt.c
+++ b/pdf/pdf_crypt.c
@@ -721,7 +721,9 @@ pdf_crypt_obj_imp(pdf_crypt *crypt, fz_obj *obj, unsigned char *key, int keylen)
 
 		if (crypt->strf.method == PDF_CRYPT_AESV2 || crypt->strf.method == PDF_CRYPT_AESV3)
 		{
-			if (n >= 32)
+			if (n & 15 || n < 32)
+				fz_warn("invalid string length for aes encryption");
+			else
 			{
 				unsigned char iv[16];
 				fz_aes aes;
@@ -729,7 +731,10 @@ pdf_crypt_obj_imp(pdf_crypt *crypt, fz_obj *obj, unsigned char *key, int keylen)
 				aes_setkey_dec(&aes, key, keylen * 8);
 				aes_crypt_cbc(&aes, AES_DECRYPT, n - 16, iv, s + 16, s);
 				/* delete space used for iv and padding bytes at end */
-				fz_set_str_len(obj, n - 16 - s[n - 17]);
+				if (s[n - 17] < 1 || s[n - 17] > 16)
+					fz_warn("aes padding out of range");
+				else
+					fz_set_str_len(obj, n - 16 - s[n - 17]);
 			}
 		}
 	}
author	Tor Andersson <tor.andersson@artifex.com>	2011-04-22 16:43:57 +0200
committer	Tor Andersson <tor.andersson@artifex.com>	2011-04-25 15:35:40 +0200
commit	a45ae4ceb7bd8cbcd2f6d2ed608e8451f6b9dd9a (patch)
tree	6376618198f66d58d45e7baf159c05cb12b9b8f0 /pdf/pdf_crypt.c
parent	ba7b188c4fd2825d59e90f01a2d8e66fdd1a8cd5 (diff)
download	mupdf-a45ae4ceb7bd8cbcd2f6d2ed608e8451f6b9dd9a.tar.xz