I am not sure if I am just missing where this is verified earlier, but isn't
unsigned int signed_data_len = r2.getInt()+r4.getInt(); unsigned char *to_check = (unsigned char *)gmalloc(signed_data_len); //Read the 2 slices of data that are signed doc->getBaseStream()->setPos(0); doc->getBaseStream()->doGetChars(r2.getInt(), to_check); doc->getBaseStream()->setPos(r3.getInt()); doc->getBaseStream()->doGetChars(r4.getInt(), to_check+r2.getInt()); from FormFieldSignature::validateSignature susceptible to buffer overflow? Meaning for example if r4.getInt() < 0, then signed_data_len < r2.getInt(), so we overflow to_check in the first call to doGetChars while the second one becomes a no-op for a least the Stream and FileStream implementations. Best regards, Adam. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to poppler in Ubuntu. https://bugs.launchpad.net/bugs/740506 Title: verify digital signatures To manage notifications about this bug go to: https://bugs.launchpad.net/evince/+bug/740506/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs