<html>
    <head>
      <base href="https://bugs.freedesktop.org/" />
    </head>
    <body>
      <p>
        <div>
            <b><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - support for digital signatures"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=16770#c57">Comment # 57</a>
              on <a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - support for digital signatures"
   href="https://bugs.freedesktop.org/show_bug.cgi?id=16770">bug 16770</a>
              from <span class="vcard"><a class="email" href="mailto:adam.reichold@t-online.de" title="Adam Reichold <adam.reichold@t-online.de>"> <span class="fn">Adam Reichold</span></a>
</span></b>
        <pre>I am not sure if I am just missing where this is verified earlier, but isn't

unsigned int signed_data_len = r2.getInt()+r4.getInt();
unsigned char *to_check = (unsigned char *)gmalloc(signed_data_len);

//Read the 2 slices of data that are signed
doc->getBaseStream()->setPos(0);
doc->getBaseStream()->doGetChars(r2.getInt(), to_check);
doc->getBaseStream()->setPos(r3.getInt());
doc->getBaseStream()->doGetChars(r4.getInt(), to_check+r2.getInt());

from FormFieldSignature::validateSignature susceptible to buffer overflow?

Meaning for example if r4.getInt() < 0, then signed_data_len < r2.getInt(), so
we overflow to_check in the first call to doGetChars while the second one
becomes a no-op for a least the Stream and FileStream implementations.

Best regards, Adam.</pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>