poppler/Form.cc | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-)
New commits: commit 4f7903ebc037c63683637973285bc34ea83542dc Author: André Guerreiro <[email protected]> Date: Thu Sep 24 23:57:46 2015 +0200 Fix for Buffer overflow diff --git a/poppler/Form.cc b/poppler/Form.cc index c5631dc..5bf3492 100644 --- a/poppler/Form.cc +++ b/poppler/Form.cc @@ -1455,7 +1455,18 @@ SignatureInfo *FormFieldSignature::validateSignature(bool doVerifyCert, bool for byte_range.arrayGet(2, &r3); byte_range.arrayGet(3, &r4); - unsigned int signed_data_len = r2.getInt()+r4.getInt(); + unsigned int signed_data_len = 0; + + Goffset fileLength = doc->getBaseStream()->getLength(); + + if (r2.getInt() <= 0 || r3.getInt() <= 0 || r4.getInt() <= 0 || r3.getInt() <= r2.getInt() || + r3.getInt() + r4.getInt() > fileLength) + { + error(errSyntaxError, 0, "Illegal values in ByteRange array"); + return signature_info; + } + + signed_data_len = r2.getInt() + r4.getInt(); unsigned char *to_check = (unsigned char *)gmalloc(signed_data_len); //Read the 2 slices of data that are signed
_______________________________________________ poppler mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/poppler
