[Libreoffice-commits] core.git: xmlsecurity/source

[Miklos Vajna]

 xmlsecurity/source/pdfio/pdfdocument.cxx |   12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

New commits:
commit f3d9249ca6be6e69362b3ae90842fd2211fd0829
Author: Miklos Vajna <vmiklos at collabora.co.uk>
Date:   Fri Oct 14 18:15:35 2016 +0200

    xmlsecurity: check file header when reading PDF signature
    
    Currently the only non-ZIP-based import filter that declares the
    SUPPORTSSIGNING flag is PDF, so if we get a stream without a storage, we
    assume it's PDF.
    
    If any other non-ZIP-based format would add that flag in the future,
    that would mean PDFDocument::Read() gets that as an input. That means it
    makes sense to at least check the file header early in the tokenizer,
    and return early when that doesn't match.
    
    Change-Id: I8760d130c4211f37be705e03b22814825042cac8
    Reviewed-on: https://gerrit.libreoffice.org/29888
    Tested-by: Jenkins <ci at libreoffice.org>
    Reviewed-by: Miklos Vajna <vmiklos at collabora.co.uk>

diff --git a/xmlsecurity/source/pdfio/pdfdocument.cxx b/xmlsecurity/source/pdfio/pdfdocument.cxx
index 3766e4d..4711084 100644
--- a/xmlsecurity/source/pdfio/pdfdocument.cxx
+++ b/xmlsecurity/source/pdfio/pdfdocument.cxx
@@ -215,7 +215,17 @@ PDFDocument::PDFDocument()
 
 bool PDFDocument::Read(SvStream& rStream)
 {
-    // First look up the offset of the xref table.
+    // Check file magic.
+    std::vector<sal_Int8> aHeader(5);
+    rStream.Seek(0);
+    rStream.ReadBytes(aHeader.data(), aHeader.size());
+    if (aHeader[0] != '%' || aHeader[1] != 'P' || aHeader[2] != 'D' || aHeader[3] != 'F' || aHeader[4] != '-')
+    {
+        SAL_WARN("xmlsecurity.pdfio", "PDFDocument::Read: header mismatch");
+        return false;
+    }
+
+    // Look up the offset of the xref table.
     size_t nStartXRef = FindStartXRef(rStream);
     SAL_INFO("xmlsecurity.pdfio", "PDFDocument::Read: nStartXRef is " << nStartXRef);
     if (nStartXRef == 0)