poppler/Decrypt.cc | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-)
New commits: commit 224dda4d292a097866f109a9d2cec4b3ba78eb97 Author: Albert Astals Cid <[email protected]> Date: Tue May 22 19:17:20 2018 +0200 Fix out of bounds write in BaseCryptStream fixes oss-fuzz/8420 diff --git a/poppler/Decrypt.cc b/poppler/Decrypt.cc index bf858cec..d4ce0ce3 100644 --- a/poppler/Decrypt.cc +++ b/poppler/Decrypt.cc @@ -321,12 +321,14 @@ BaseCryptStream::BaseCryptStream(Stream *strA, Guchar *fileKey, CryptAlgorithm a } switch (algo) { case cryptRC4: - objKey[keyLength] = objNum & 0xff; - objKey[keyLength + 1] = (objNum >> 8) & 0xff; - objKey[keyLength + 2] = (objNum >> 16) & 0xff; - objKey[keyLength + 3] = objGen & 0xff; - objKey[keyLength + 4] = (objGen >> 8) & 0xff; - md5(objKey, keyLength + 5, objKey); + if (likely(keyLength < (sizeof(objKey) - 4))) { + objKey[keyLength] = objNum & 0xff; + objKey[keyLength + 1] = (objNum >> 8) & 0xff; + objKey[keyLength + 2] = (objNum >> 16) & 0xff; + objKey[keyLength + 3] = objGen & 0xff; + objKey[keyLength + 4] = (objGen >> 8) & 0xff; + md5(objKey, keyLength + 5, objKey); + } if ((objKeyLength = keyLength + 5) > 16) { objKeyLength = 16; } _______________________________________________ poppler mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/poppler
