[poppler] Branch 'signatureHandling' - poppler/Form.cc
Albert Astals Cid
aacid at kemper.freedesktop.org
Thu Sep 24 14:58:09 PDT 2015
poppler/Form.cc | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
New commits:
commit 4f7903ebc037c63683637973285bc34ea83542dc
Author: André Guerreiro <aguerreiro1985 at gmail.com>
Date: Thu Sep 24 23:57:46 2015 +0200
Fix for Buffer overflow
diff --git a/poppler/Form.cc b/poppler/Form.cc
index c5631dc..5bf3492 100644
--- a/poppler/Form.cc
+++ b/poppler/Form.cc
@@ -1455,7 +1455,18 @@ SignatureInfo *FormFieldSignature::validateSignature(bool doVerifyCert, bool for
byte_range.arrayGet(2, &r3);
byte_range.arrayGet(3, &r4);
- unsigned int signed_data_len = r2.getInt()+r4.getInt();
+ unsigned int signed_data_len = 0;
+
+ Goffset fileLength = doc->getBaseStream()->getLength();
+
+ if (r2.getInt() <= 0 || r3.getInt() <= 0 || r4.getInt() <= 0 || r3.getInt() <= r2.getInt() ||
+ r3.getInt() + r4.getInt() > fileLength)
+ {
+ error(errSyntaxError, 0, "Illegal values in ByteRange array");
+ return signature_info;
+ }
+
+ signed_data_len = r2.getInt() + r4.getInt();
unsigned char *to_check = (unsigned char *)gmalloc(signed_data_len);
//Read the 2 slices of data that are signed
More information about the poppler
mailing list