forcepoint#57 sanity check stream signature size

Change-Id: I5ae459e159a64f32c62278a87e37deb08ab9d6ac Reviewed-on: https://gerrit.libreoffice.org/58448 Tested-by: Jenkins Reviewed-by: Michael Stahl <Michael.Stahl@cib.de> (cherry picked from commit 8ed224599ae7985b577f0bf737b2b9b2e8dd47b7)
author: Caolán McNamara <caolanm@redhat.com> 2018-08-01 09:18:16 +0100
committer: Andras Timar <andras.timar@collabora.com> 2019-08-22 12:33:07 +0200
commit: 71329eb4d93145560618f9e670d079f5a859478c (patch)
tree: 0e3e96bd44e3f7b00d0dfe10513dd8e32fe5a7ab
parent: 58c39c1b5660793d10794d70e4dd07da13811df1 (diff)
1 files changed, 17 insertions, 13 deletions
diff --git a/xmlsecurity/source/helper/xmlsignaturehelper.cxx b/xmlsecurity/source/helper/xmlsignaturehelper.cxx
index 36a6117c29a0..58934286b59c 100644
--- a/xmlsecurity/source/helper/xmlsignaturehelper.cxx
+++ b/xmlsecurity/source/helper/xmlsignaturehelper.cxx
@@ -378,21 +378,25 @@ bool XMLSignatureHelper::ReadAndVerifySignatureStorage(const uno::Reference<embe
                 if (!bCacheLastSignature && i == aRelationsInfo.getLength() - 1)
                     bCache = false;
 
-                if (bCache)
+                if (!bCache)
+                    continue;
+                // Store the contents of the stream as is, in case we need to write it back later.
+                xInputStream.clear();
+                xInputStream.set(xStorage->openStreamElement(it->Second, nOpenMode), uno::UNO_QUERY);
+                uno::Reference<beans::XPropertySet> xPropertySet(xInputStream, uno::UNO_QUERY);
+                if (!xPropertySet.is())
+                    continue;
+
+                sal_Int64 nSize = 0;
+                xPropertySet->getPropertyValue("Size") >>= nSize;
+                if (nSize < 0 || nSize > SAL_MAX_INT32)
                 {
-                    // Store the contents of the stream as is, in case we need to write it back later.
-                    xInputStream.clear();
-                    xInputStream.set(xStorage->openStreamElement(it->Second, nOpenMode), uno::UNO_QUERY);
-                    uno::Reference<beans::XPropertySet> xPropertySet(xInputStream, uno::UNO_QUERY);
-                    if (xPropertySet.is())
-                    {
-                        sal_Int64 nSize = 0;
-                        xPropertySet->getPropertyValue("Size") >>= nSize;
-                        uno::Sequence<sal_Int8> aData;
-                        xInputStream->readBytes(aData, nSize);
-                        mpXSecController->setSignatureBytes(aData);
-                    }
+                    SAL_WARN("xmlsecurity.helper", "bogus signature size: " << nSize);
+                    continue;
                 }
+                uno::Sequence<sal_Int8> aData;
+                xInputStream->readBytes(aData, nSize);
+                mpXSecController->setSignatureBytes(aData);
             }
         }
     }
author	Caolán McNamara <caolanm@redhat.com>	2018-08-01 09:18:16 +0100
committer	Andras Timar <andras.timar@collabora.com>	2019-08-22 12:33:07 +0200
commit	71329eb4d93145560618f9e670d079f5a859478c (patch)
tree	0e3e96bd44e3f7b00d0dfe10513dd8e32fe5a7ab
parent	58c39c1b5660793d10794d70e4dd07da13811df1 (diff)