diff options
author | Caolán McNamara <caolanm@redhat.com> | 2018-08-01 09:18:16 +0100 |
---|---|---|
committer | Michael Stahl <Michael.Stahl@cib.de> | 2018-08-03 10:56:47 +0200 |
commit | 8ed224599ae7985b577f0bf737b2b9b2e8dd47b7 (patch) | |
tree | e5ee6875866335b3fe5ccc54d53227faf91a7e75 /xmlsecurity | |
parent | a5b84a6888deaa406786b350a0adcf9ef9020f48 (diff) |
forcepoint#57 sanity check stream signature size
Change-Id: I5ae459e159a64f32c62278a87e37deb08ab9d6ac
Reviewed-on: https://gerrit.libreoffice.org/58448
Tested-by: Jenkins
Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>
Diffstat (limited to 'xmlsecurity')
-rw-r--r-- | xmlsecurity/source/helper/xmlsignaturehelper.cxx | 30 |
1 files changed, 17 insertions, 13 deletions
diff --git a/xmlsecurity/source/helper/xmlsignaturehelper.cxx b/xmlsecurity/source/helper/xmlsignaturehelper.cxx index 40c0f19a8fdf..a3bb382a8ea4 100644 --- a/xmlsecurity/source/helper/xmlsignaturehelper.cxx +++ b/xmlsecurity/source/helper/xmlsignaturehelper.cxx @@ -369,21 +369,25 @@ bool XMLSignatureHelper::ReadAndVerifySignatureStorage(const uno::Reference<embe if (!bCacheLastSignature && i == aRelationsInfo.getLength() - 1) bCache = false; - if (bCache) + if (!bCache) + continue; + // Store the contents of the stream as is, in case we need to write it back later. + xInputStream.clear(); + xInputStream.set(xStorage->openStreamElement(it->Second, nOpenMode), uno::UNO_QUERY); + uno::Reference<beans::XPropertySet> xPropertySet(xInputStream, uno::UNO_QUERY); + if (!xPropertySet.is()) + continue; + + sal_Int64 nSize = 0; + xPropertySet->getPropertyValue("Size") >>= nSize; + if (nSize < 0 || nSize > SAL_MAX_INT32) { - // Store the contents of the stream as is, in case we need to write it back later. - xInputStream.clear(); - xInputStream.set(xStorage->openStreamElement(it->Second, nOpenMode), uno::UNO_QUERY); - uno::Reference<beans::XPropertySet> xPropertySet(xInputStream, uno::UNO_QUERY); - if (xPropertySet.is()) - { - sal_Int64 nSize = 0; - xPropertySet->getPropertyValue("Size") >>= nSize; - uno::Sequence<sal_Int8> aData; - xInputStream->readBytes(aData, nSize); - mpXSecController->setSignatureBytes(aData); - } + SAL_WARN("xmlsecurity.helper", "bogus signature size: " << nSize); + continue; } + uno::Sequence<sal_Int8> aData; + xInputStream->readBytes(aData, nSize); + mpXSecController->setSignatureBytes(aData); } } } |