[Libreoffice-commits] core.git: Branch 'libreoffice-6-1' - xmlsecurity/source
Libreoffice Gerrit user
logerrit at kemper.freedesktop.org
Fri Aug 3 08:57:11 UTC 2018
xmlsecurity/source/helper/xmlsignaturehelper.cxx | 30 +++++++++++++----------
1 file changed, 17 insertions(+), 13 deletions(-)
New commits:
commit 8ed224599ae7985b577f0bf737b2b9b2e8dd47b7
Author: Caolán McNamara <caolanm at redhat.com>
AuthorDate: Wed Aug 1 09:18:16 2018 +0100
Commit: Michael Stahl <Michael.Stahl at cib.de>
CommitDate: Fri Aug 3 10:56:47 2018 +0200
forcepoint#57 sanity check stream signature size
Change-Id: I5ae459e159a64f32c62278a87e37deb08ab9d6ac
Reviewed-on: https://gerrit.libreoffice.org/58448
Tested-by: Jenkins
Reviewed-by: Michael Stahl <Michael.Stahl at cib.de>
diff --git a/xmlsecurity/source/helper/xmlsignaturehelper.cxx b/xmlsecurity/source/helper/xmlsignaturehelper.cxx
index 40c0f19a8fdf..a3bb382a8ea4 100644
--- a/xmlsecurity/source/helper/xmlsignaturehelper.cxx
+++ b/xmlsecurity/source/helper/xmlsignaturehelper.cxx
@@ -369,21 +369,25 @@ bool XMLSignatureHelper::ReadAndVerifySignatureStorage(const uno::Reference<embe
if (!bCacheLastSignature && i == aRelationsInfo.getLength() - 1)
bCache = false;
- if (bCache)
+ if (!bCache)
+ continue;
+ // Store the contents of the stream as is, in case we need to write it back later.
+ xInputStream.clear();
+ xInputStream.set(xStorage->openStreamElement(it->Second, nOpenMode), uno::UNO_QUERY);
+ uno::Reference<beans::XPropertySet> xPropertySet(xInputStream, uno::UNO_QUERY);
+ if (!xPropertySet.is())
+ continue;
+
+ sal_Int64 nSize = 0;
+ xPropertySet->getPropertyValue("Size") >>= nSize;
+ if (nSize < 0 || nSize > SAL_MAX_INT32)
{
- // Store the contents of the stream as is, in case we need to write it back later.
- xInputStream.clear();
- xInputStream.set(xStorage->openStreamElement(it->Second, nOpenMode), uno::UNO_QUERY);
- uno::Reference<beans::XPropertySet> xPropertySet(xInputStream, uno::UNO_QUERY);
- if (xPropertySet.is())
- {
- sal_Int64 nSize = 0;
- xPropertySet->getPropertyValue("Size") >>= nSize;
- uno::Sequence<sal_Int8> aData;
- xInputStream->readBytes(aData, nSize);
- mpXSecController->setSignatureBytes(aData);
- }
+ SAL_WARN("xmlsecurity.helper", "bogus signature size: " << nSize);
+ continue;
}
+ uno::Sequence<sal_Int8> aData;
+ xInputStream->readBytes(aData, nSize);
+ mpXSecController->setSignatureBytes(aData);
}
}
}
More information about the Libreoffice-commits
mailing list