Fix memory access error

A previous fix introduced a potentially memory overrun under certain rare conditions. The test suite now once again passes with address sanitizer.

Fix memory access error
A previous fix introduced a potentially memory overrun under certain rare conditions. The test suite now once again passes with address sanitizer.
Jay Berkenbilt
1 parent b6e414b1
Showing 1 changed file with 7 additions and 7 deletions
libqpdf/QPDF_encryption.cc
@@ -437,11 +437,10 @@ QPDF::compute_encryption_key_from_password(
 	md5.encodeDataIncrementally(bytes, 4);
     }
     MD5::Digest digest;
-    iterate_md5_digest(md5, digest, ((data.getR() >= 3) ? 50 : 0),
-                       data.getLengthBytes());
-    return std::string(reinterpret_cast<char*>(digest),
-                       std::min(static_cast<int>(sizeof(digest)),
-                                data.getLengthBytes()));
+    int key_len = std::min(static_cast<int>(sizeof(digest)),
+                           data.getLengthBytes());
+    iterate_md5_digest(md5, digest, ((data.getR() >= 3) ? 50 : 0), key_len);
+    return std::string(reinterpret_cast<char*>(digest), key_len);
 }
  
 static void
@@ -464,8 +463,9 @@ compute_O_rc4_key(std::string const&amp; user_password,
     md5.encodeDataIncrementally(
 	pad_or_truncate_password_V4(password).c_str(), key_bytes);
     MD5::Digest digest;
-    iterate_md5_digest(md5, digest, ((data.getR() >= 3) ? 50 : 0),
-                       data.getLengthBytes());
+    int key_len = std::min(static_cast<int>(sizeof(digest)),
+                           data.getLengthBytes());
+    iterate_md5_digest(md5, digest, ((data.getR() >= 3) ? 50 : 0), key_len);
     memcpy(key, digest, OU_key_bytes_V4);
 }