summaryrefslogtreecommitdiff
path: root/xmlsecurity/source/gpg
diff options
context:
space:
mode:
authorKatarina Behrens <Katarina.Behrens@cib.de>2017-07-14 14:03:31 +0200
committerMiklos Vajna <vmiklos@collabora.co.uk>2017-07-17 10:54:43 +0200
commitb90be9916d3438d3731721ddbd2191ce67e68201 (patch)
treef1d8a1293dbef476be6c6239251d3563b3472808 /xmlsecurity/source/gpg
parentfe34bb37b58dd35e387a782612898ecc3f19400b (diff)
gpg4libre: Don't use xmlStrlen on binary data
Odd things happen inside gpgme if the buffer is prematurely truncated due to \n char and valid signature is then evaluated as invalid Change-Id: I24d4d22af06a3dde6eb7fdfc12953cf1b5f19c1e Reviewed-on: https://gerrit.libreoffice.org/39945 Reviewed-by: Samuel Mehrbrodt <Samuel.Mehrbrodt@cib.de> Tested-by: Jenkins <ci@libreoffice.org> Reviewed-by: Katarina Behrens <Katarina.Behrens@cib.de> (cherry picked from commit 02bb4ebf2b0dd656bfb0e8185e702267606a7e64) Reviewed-on: https://gerrit.libreoffice.org/39964 Reviewed-by: Thorsten Behrens <Thorsten.Behrens@CIB.de> Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk> Tested-by: Miklos Vajna <vmiklos@collabora.co.uk>
Diffstat (limited to 'xmlsecurity/source/gpg')
-rw-r--r--xmlsecurity/source/gpg/xmlsignature_gpgimpl.cxx5
1 files changed, 3 insertions, 2 deletions
diff --git a/xmlsecurity/source/gpg/xmlsignature_gpgimpl.cxx b/xmlsecurity/source/gpg/xmlsignature_gpgimpl.cxx
index 1667af6f59ad..0700c43f1ea6 100644
--- a/xmlsecurity/source/gpg/xmlsignature_gpgimpl.cxx
+++ b/xmlsecurity/source/gpg/xmlsignature_gpgimpl.cxx
@@ -359,12 +359,13 @@ SAL_CALL XMLSignature_GpgImpl::validate(
if(!xmlSecCheckNodeName(cur, xmlSecNodeSignatureValue, xmlSecDSigNs))
throw RuntimeException("The GpgME library failed to initialize for the OpenPGP protocol.");
xmlChar* pSignatureValue=xmlNodeGetContent(cur);
- if(xmlSecBase64Decode(pSignatureValue, reinterpret_cast<xmlSecByte*>(pSignatureValue), xmlStrlen(pSignatureValue)) < 0)
+ int nSigSize = xmlSecBase64Decode(pSignatureValue, reinterpret_cast<xmlSecByte*>(pSignatureValue), xmlStrlen(pSignatureValue));
+ if( nSigSize < 0)
throw RuntimeException("The GpgME library failed to initialize for the OpenPGP protocol.");
GpgME::Data data_signature(
reinterpret_cast<char*>(pSignatureValue),
- xmlStrlen(pSignatureValue), false);
+ nSigSize, false);
GpgME::VerificationResult verify_res=rCtx.verifyDetachedSignature(
data_signature, data_text);