sanitize crypt revision in pdf_new_crypt

This correctly enables the sanitization of the key length needed for 90db34f64037e2a8a5c3b6a518ba4153_asan_heap-oob_9b117e_1197_1802.pdf
author: Simon Bünzli <zeniko@gmail.com> 2014-01-08 16:23:12 +0100
committer: Robin Watts <robin.watts@artifex.com> 2014-01-08 17:55:05 +0000
commit: 7e2fd58613a92dfd94550e35cfede9fa5b714e7f (patch)
tree: f348b8616bea6955fb611a9e39f380fc396d827b /source/pdf
parent: 835488aa0fb45f7c752f12f7184c76df26e8e5dc (diff)
download: mupdf-7e2fd58613a92dfd94550e35cfede9fa5b714e7f.tar.xz
1 files changed, 6 insertions, 0 deletions
diff --git a/source/pdf/pdf-crypt.c b/source/pdf/pdf-crypt.c
index e40fad95..daeead1a 100644
--- a/source/pdf/pdf-crypt.c
+++ b/source/pdf/pdf-crypt.c
@@ -97,6 +97,12 @@ pdf_new_crypt(fz_context *ctx, pdf_obj *dict, pdf_obj *id)
 		pdf_free_crypt(ctx, crypt);
 		fz_throw(ctx, FZ_ERROR_GENERIC, "encryption dictionary missing version and revision value");
 	}
+	if (crypt->r < 1 || crypt->r > 6)
+	{
+		int r = crypt->r;
+		pdf_free_crypt(ctx, crypt);
+		fz_throw(ctx, FZ_ERROR_GENERIC, "unknown crypt revision %d", r);
+	}
 
 	obj = pdf_dict_gets(dict, "O");
 	if (pdf_is_string(obj) && pdf_to_str_len(obj) == 32)
author	Simon Bünzli <zeniko@gmail.com>	2014-01-08 16:23:12 +0100
committer	Robin Watts <robin.watts@artifex.com>	2014-01-08 17:55:05 +0000
commit	7e2fd58613a92dfd94550e35cfede9fa5b714e7f (patch)
tree	f348b8616bea6955fb611a9e39f380fc396d827b /source/pdf
parent	835488aa0fb45f7c752f12f7184c76df26e8e5dc (diff)
download	mupdf-7e2fd58613a92dfd94550e35cfede9fa5b714e7f.tar.xz