[Poppler-bugs] [Bug 16770] support for digital signatures
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Mon Sep 14 13:02:35 PDT 2015
https://bugs.freedesktop.org/show_bug.cgi?id=16770
--- Comment #57 from Adam Reichold <adam.reichold at t-online.de> ---
I am not sure if I am just missing where this is verified earlier, but isn't
unsigned int signed_data_len = r2.getInt()+r4.getInt();
unsigned char *to_check = (unsigned char *)gmalloc(signed_data_len);
//Read the 2 slices of data that are signed
doc->getBaseStream()->setPos(0);
doc->getBaseStream()->doGetChars(r2.getInt(), to_check);
doc->getBaseStream()->setPos(r3.getInt());
doc->getBaseStream()->doGetChars(r4.getInt(), to_check+r2.getInt());
from FormFieldSignature::validateSignature susceptible to buffer overflow?
Meaning for example if r4.getInt() < 0, then signed_data_len < r2.getInt(), so
we overflow to_check in the first call to doGetChars while the second one
becomes a no-op for a least the Stream and FileStream implementations.
Best regards, Adam.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/poppler-bugs/attachments/20150914/2885e630/attachment.html>
More information about the Poppler-bugs
mailing list