Hello Mark, hello all, > On 20 April 2018 at 00:09 Mark Rogers <mark.rog...@powermapper.com> wrote: > > > Hi > > > This code from PdfString::Write has a buffer overflow – it checks > buffer.GetSize() > 0 then sets nInputBufferLen=GetSize()-2 which is passed > to new[nInputBufferLen] and memcpy
I'd like to contribute a fix for this (UTC tomorrow, I need to sleep soon): > if( pEncrypt && m_buffer.GetSize() && IsValid() ) As IsValid() contains only a NULL check on the buffer in m_buffer, the size check needs to be > 2 if ... > { > pdf_long nInputBufferLen = m_buffer.GetSize() - 2; // Cut off the trailing > pair of zeros there is to be a trailing-zero pair at all ... Otherwise only when there is such a pair expected: should be the Unicode case. I mean IMHO only then should there be one, I'm going to make it so too. In the non-Unicode case I'll check if zero-termination is needed altogether, if it isn't the check wouldn't need to be changed, but the handling would. > pdf_long nUnicodeMarkerOffet = sizeof( PdfString::s_pszUnicodeMarker ); Of course I'd correct the typo also. > > Best Regards > > Mark > Best regards, mabri P.S. Please still hold off with the rc2 for a bit (@Dominik), I'd like to commit Francesco Pretto's iterator API addition (13/13) and a PdfPage one of my own, still before the rc2 (and shouldn't the known vulnerabilities be fixed in it also?). ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Podofo-users mailing list Podofo-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/podofo-users