Don't attempt to decrypt AES streams that are too short
When reading a stream, if it is encrypted using an AES cipher it must
be atleast 16 bytes long aka 128 bits, other wise it is malformed.
BUG=chromium:763585
Change-Id: Ied7c36978f1eb24aeda93a184527b6d6a191e5c3
Reviewed-on: https://pdfium-review.googlesource.com/13751
Reviewed-by: Tom Sepez <tsepez@chromium.org>
Commit-Queue: Ryan Harrison <rharrison@chromium.org>
diff --git a/core/fpdfapi/parser/cpdf_crypto_handler.cpp b/core/fpdfapi/parser/cpdf_crypto_handler.cpp
index ef84480..74428ba 100644
--- a/core/fpdfapi/parser/cpdf_crypto_handler.cpp
+++ b/core/fpdfapi/parser/cpdf_crypto_handler.cpp
@@ -297,6 +297,10 @@
return true;
}
+bool CPDF_CryptoHandler::IsCipherAES() const {
+ return m_Cipher == FXCIPHER_AES;
+}
+
bool CPDF_CryptoHandler::DecryptStream(void* context,
const uint8_t* src_buf,
uint32_t src_size,
diff --git a/core/fpdfapi/parser/cpdf_crypto_handler.h b/core/fpdfapi/parser/cpdf_crypto_handler.h
index 14a5743..adf0c6c 100644
--- a/core/fpdfapi/parser/cpdf_crypto_handler.h
+++ b/core/fpdfapi/parser/cpdf_crypto_handler.h
@@ -48,6 +48,7 @@
uint32_t& dest_size);
bool Init(int cipher, const uint8_t* key, int keylen);
+ bool IsCipherAES() const;
private:
CPDF_CryptoHandler();
diff --git a/core/fpdfapi/parser/cpdf_syntax_parser.cpp b/core/fpdfapi/parser/cpdf_syntax_parser.cpp
index 4a7810f..779bf81 100644
--- a/core/fpdfapi/parser/cpdf_syntax_parser.cpp
+++ b/core/fpdfapi/parser/cpdf_syntax_parser.cpp
@@ -690,6 +690,9 @@
std::unique_ptr<uint8_t, FxFreeDeleter> pData;
if (len > 0) {
+ if (pCryptoHandler && pCryptoHandler->IsCipherAES() && len < 16)
+ return nullptr;
+
pData.reset(FX_Alloc(uint8_t, len));
ReadBlock(pData.get(), len);
if (pCryptoHandler) {
