diff options
author | Caolán McNamara <caolanm@redhat.com> | 2018-08-01 09:18:16 +0100 |
---|---|---|
committer | Andras Timar <andras.timar@collabora.com> | 2019-08-22 12:33:07 +0200 |
commit | 71329eb4d93145560618f9e670d079f5a859478c (patch) | |
tree | 0e3e96bd44e3f7b00d0dfe10513dd8e32fe5a7ab | |
parent | 58c39c1b5660793d10794d70e4dd07da13811df1 (diff) |
forcepoint#57 sanity check stream signature size
Change-Id: I5ae459e159a64f32c62278a87e37deb08ab9d6ac
Reviewed-on: https://gerrit.libreoffice.org/58448
Tested-by: Jenkins
Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>
(cherry picked from commit 8ed224599ae7985b577f0bf737b2b9b2e8dd47b7)
-rw-r--r-- | xmlsecurity/source/helper/xmlsignaturehelper.cxx | 30 |
1 files changed, 17 insertions, 13 deletions
diff --git a/xmlsecurity/source/helper/xmlsignaturehelper.cxx b/xmlsecurity/source/helper/xmlsignaturehelper.cxx index 36a6117c29a0..58934286b59c 100644 --- a/xmlsecurity/source/helper/xmlsignaturehelper.cxx +++ b/xmlsecurity/source/helper/xmlsignaturehelper.cxx @@ -378,21 +378,25 @@ bool XMLSignatureHelper::ReadAndVerifySignatureStorage(const uno::Reference<embe if (!bCacheLastSignature && i == aRelationsInfo.getLength() - 1) bCache = false; - if (bCache) + if (!bCache) + continue; + // Store the contents of the stream as is, in case we need to write it back later. + xInputStream.clear(); + xInputStream.set(xStorage->openStreamElement(it->Second, nOpenMode), uno::UNO_QUERY); + uno::Reference<beans::XPropertySet> xPropertySet(xInputStream, uno::UNO_QUERY); + if (!xPropertySet.is()) + continue; + + sal_Int64 nSize = 0; + xPropertySet->getPropertyValue("Size") >>= nSize; + if (nSize < 0 || nSize > SAL_MAX_INT32) { - // Store the contents of the stream as is, in case we need to write it back later. - xInputStream.clear(); - xInputStream.set(xStorage->openStreamElement(it->Second, nOpenMode), uno::UNO_QUERY); - uno::Reference<beans::XPropertySet> xPropertySet(xInputStream, uno::UNO_QUERY); - if (xPropertySet.is()) - { - sal_Int64 nSize = 0; - xPropertySet->getPropertyValue("Size") >>= nSize; - uno::Sequence<sal_Int8> aData; - xInputStream->readBytes(aData, nSize); - mpXSecController->setSignatureBytes(aData); - } + SAL_WARN("xmlsecurity.helper", "bogus signature size: " << nSize); + continue; } + uno::Sequence<sal_Int8> aData; + xInputStream->readBytes(aData, nSize); + mpXSecController->setSignatureBytes(aData); } } } |