If a document has a signature without a <Reference> element,
DSIGReference::verifyReferenceList() gets passed a NULL
DSIGReferenceList. It does not check the pointer before dereferencing
it. The problem can be reproduced by running checksig on the attached
document. Fall down, go boom!
Changing:
int size = (int) lst->getSize();
to:
int size = (lst ? (int) lst->getSize() : 0);
prevents the crash, but I'm not sure whether it completely addresses the
problem. Certainly the function should defend against this case, but
should it be getting called with a NULL list in the first place?
<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
<Test>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<!--
<Reference URI="">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>qjs2tyEiA79jqpHYkUoWdBYSUT4=</DigestValue>
</Reference>
-->
</SignedInfo>
<SignatureValue>MgpOtxg3BYekLI7pCwwyDmWrtK0g5LwKfknDRL6jDqSYcEZ3PtpSFnPLpGW+dMbH
clwzz9hsNfjRHnpDdr9jXg==</SignatureValue>
</Signature>
</Test>
