From bdb5cdee34edc38e47bf9b3a9830830d072f0c91 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simon=20B=C3=BCnzli?= <zeniko@gmail.com>
Date: Wed, 8 Jan 2014 16:23:12 +0100
Subject: sanitize crypt revision in pdf_new_crypt

(Second part of Simons patch - apologies for missing this the first time).

This correctly enables the sanitization of the key length needed for
90db34f64037e2a8a5c3b6a518ba4153_asan_heap-oob_9b117e_1197_1802.pdf

Thanks to Mateusz Jurczyk and Gynvael Coldwind of the Google Security
Team for providing the example files.
---
 source/pdf/pdf-crypt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'source')

diff --git a/source/pdf/pdf-crypt.c b/source/pdf/pdf-crypt.c
index daeead1a..dda53cf0 100644
--- a/source/pdf/pdf-crypt.c
+++ b/source/pdf/pdf-crypt.c
@@ -318,7 +318,7 @@ pdf_parse_crypt_filter(fz_context *ctx, pdf_crypt_filter *cf, pdf_crypt *crypt,
 	if ((cf->length % 8) != 0)
 		fz_throw(ctx, FZ_ERROR_GENERIC, "invalid key length: %d", cf->length);
 
-	if ((crypt->r == 1 || crypt->r == 2 || crypt->r == 4) &&
+	if ((crypt->r == 1 || crypt->r == 2 || crypt->r == 3 || crypt->r == 4) &&
 		(cf->length < 0 || cf->length > 128))
 		fz_throw(ctx, FZ_ERROR_GENERIC, "invalid key length: %d", cf->length);
 	if ((crypt->r == 5 || crypt->r == 6) && cf->length != 256)
-- 
cgit v1.2.3