[Libreoffice-commits] core.git: Branch 'libreoffice-5-4-0' - xmlsecurity/source

Mon, 17 Jul 2017 01:56:16 -0700 

 xmlsecurity/source/gpg/xmlsignature_gpgimpl.cxx |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

New commits:
commit b90be9916d3438d3731721ddbd2191ce67e68201
Author: Katarina Behrens <katarina.behr...@cib.de>
Date:   Fri Jul 14 14:03:31 2017 +0200

    gpg4libre: Don't use xmlStrlen on binary data
    
    Odd things happen inside gpgme if the buffer is prematurely
    truncated due to \n char and valid signature is then evaluated
    as invalid
    
    Change-Id: I24d4d22af06a3dde6eb7fdfc12953cf1b5f19c1e
    Reviewed-on: https://gerrit.libreoffice.org/39945
    Reviewed-by: Samuel Mehrbrodt <samuel.mehrbr...@cib.de>
    Tested-by: Jenkins <c...@libreoffice.org>
    Reviewed-by: Katarina Behrens <katarina.behr...@cib.de>
    (cherry picked from commit 02bb4ebf2b0dd656bfb0e8185e702267606a7e64)
    Reviewed-on: https://gerrit.libreoffice.org/39964
    Reviewed-by: Thorsten Behrens <thorsten.behr...@cib.de>
    Reviewed-by: Miklos Vajna <vmik...@collabora.co.uk>
    Tested-by: Miklos Vajna <vmik...@collabora.co.uk>

diff --git a/xmlsecurity/source/gpg/xmlsignature_gpgimpl.cxx 
b/xmlsecurity/source/gpg/xmlsignature_gpgimpl.cxx
index 1667af6f59ad..0700c43f1ea6 100644
--- a/xmlsecurity/source/gpg/xmlsignature_gpgimpl.cxx
+++ b/xmlsecurity/source/gpg/xmlsignature_gpgimpl.cxx
@@ -359,12 +359,13 @@ SAL_CALL XMLSignature_GpgImpl::validate(
         if(!xmlSecCheckNodeName(cur, xmlSecNodeSignatureValue, xmlSecDSigNs))
             throw RuntimeException("The GpgME library failed to initialize for 
the OpenPGP protocol.");
         xmlChar* pSignatureValue=xmlNodeGetContent(cur);
-        if(xmlSecBase64Decode(pSignatureValue, 
reinterpret_cast<xmlSecByte*>(pSignatureValue), xmlStrlen(pSignatureValue)) < 0)
+        int nSigSize = xmlSecBase64Decode(pSignatureValue, 
reinterpret_cast<xmlSecByte*>(pSignatureValue), xmlStrlen(pSignatureValue));
+        if( nSigSize < 0)
             throw RuntimeException("The GpgME library failed to initialize for 
the OpenPGP protocol.");
 
         GpgME::Data data_signature(
             reinterpret_cast<char*>(pSignatureValue),
-            xmlStrlen(pSignatureValue), false);
+            nSigSize, false);
 
         GpgME::VerificationResult verify_res=rCtx.verifyDetachedSignature(
             data_signature, data_text);
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

Reply via email to