Merge pull request qpdf#1308 from m-holger/fuzz

Validate key length in Pl_AES_PDF constructor
sthagen · Nov 8, 2024 · 3ea83e9 · 3ea83e9
2 parents 54cf0e5 + 64e9839
commit 3ea83e9
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 1 deletion.
diff --git a/fuzz/CMakeLists.txt b/fuzz/CMakeLists.txt
@@ -149,6 +149,7 @@ set(CORPUS_OTHER
   99999e.fuzz
   369662293.fuzz
   369662293a.fuzz
+  377977949.fuzz
 )
 
 set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus)

diff --git a/fuzz/qpdf_extra/377977949.fuzz b/fuzz/qpdf_extra/377977949.fuzz
diff --git a/fuzz/qtest/fuzz.test b/fuzz/qtest/fuzz.test
@@ -11,7 +11,7 @@ my $td = new TestDriver('fuzz');
 
 my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS";
 
-my $n_qpdf_files = 86;       # increment when adding new files
+my $n_qpdf_files = 87;       # increment when adding new files
 
 my @fuzzers = (
     ['ascii85' => 1],

diff --git a/libqpdf/Pl_AES_PDF.cc b/libqpdf/Pl_AES_PDF.cc
@@ -23,6 +23,9 @@ Pl_AES_PDF::Pl_AES_PDF(
     if (!next) {
         throw std::logic_error("Attempt to create Pl_AES_PDF with nullptr as next");
     }
+    if (!(key_bytes == 32 || key_bytes == 16)) {
+        throw std::runtime_error("unsupported key length");
+    }
     this->key = std::make_unique<unsigned char[]>(key_bytes);
     std::memcpy(this->key.get(), key, key_bytes);
     std::memset(this->inbuf, 0, this->buf_size);