Avoid buffer overrun copying digest

Converting a password to an encryption key is supposed to copy up to a certain number of bytes from a digest. Make sure never to copy more than the size of the digest.

Avoid buffer overrun copying digest
Converting a password to an encryption key is supposed to copy up to a certain number of bytes from a digest. Make sure never to copy more than the size of the digest.
Jay Berkenbilt
1 parent c729e07d
Showing 2 changed files with 8 additions and 1 deletions
ChangeLog
libqpdf/QPDF_encryption.cc
 2015-02-21  Jay Berkenbilt  <ejb@ql.org>
  
+	* Prevent buffer overrun when converting a password to an
+	encryption key. Thanks to Gynvael Coldwind and Mateusz Jurczyk of
+	the Google Security Team for providing a sample file with this
+	problem.
+
 	* Ensure that arguments to "R" when parsing the file are direct
 	objects before trying to resolve them. This prevents specially
 	crafted files from causing qpdf to crash with a stack overflow.
@@ -428,7 +428,9 @@ QPDF::compute_encryption_key_from_password(
     }
     MD5::Digest digest;
     iterate_md5_digest(md5, digest, ((data.getR() >= 3) ? 50 : 0));
-    return std::string(reinterpret_cast<char*>(digest), data.getLengthBytes());
+    return std::string(reinterpret_cast<char*>(digest),
+                       std::min(static_cast<int>(sizeof(digest)),
+                                data.getLengthBytes()));
 }
  
 static void