[poppler] poppler/Decrypt.cc

Tue May 22 17:18:17 UTC 2018

poppler/Decrypt.cc |   14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

New commits:
commit 224dda4d292a097866f109a9d2cec4b3ba78eb97
Author: Albert Astals Cid <aacid at kde.org>
Date:   Tue May 22 19:17:20 2018 +0200

    Fix out of bounds write in BaseCryptStream
    
    fixes oss-fuzz/8420

diff --git a/poppler/Decrypt.cc b/poppler/Decrypt.cc
index bf858cec..d4ce0ce3 100644
--- a/poppler/Decrypt.cc
+++ b/poppler/Decrypt.cc
@@ -321,12 +321,14 @@ BaseCryptStream::BaseCryptStream(Stream *strA, Guchar *fileKey, CryptAlgorithm a
   }
   switch (algo) {
   case cryptRC4:
-    objKey[keyLength] = objNum & 0xff;
-    objKey[keyLength + 1] = (objNum >> 8) & 0xff;
-    objKey[keyLength + 2] = (objNum >> 16) & 0xff;
-    objKey[keyLength + 3] = objGen & 0xff;
-    objKey[keyLength + 4] = (objGen >> 8) & 0xff;
-    md5(objKey, keyLength + 5, objKey);
+    if (likely(keyLength < (sizeof(objKey) - 4))) {
+      objKey[keyLength] = objNum & 0xff;
+      objKey[keyLength + 1] = (objNum >> 8) & 0xff;
+      objKey[keyLength + 2] = (objNum >> 16) & 0xff;
+      objKey[keyLength + 3] = objGen & 0xff;
+      objKey[keyLength + 4] = (objGen >> 8) & 0xff;
+      md5(objKey, keyLength + 5, objKey);
+    }
     if ((objKeyLength = keyLength + 5) > 16) {
       objKeyLength = 16;
     }
