forcepoint#57 sanity check stream signature size

Change-Id: I5ae459e159a64f32c62278a87e37deb08ab9d6ac Reviewed-on: https://gerrit.libreoffice.org/58448 Tested-by: Jenkins Reviewed-by: Michael Stahl <Michael.Stahl@cib.de>
author: Caolán McNamara <caolanm@redhat.com> 2018-08-01 09:18:16 +0100
committer: Michael Stahl <Michael.Stahl@cib.de> 2018-08-03 10:56:47 +0200
commit: 8ed224599ae7985b577f0bf737b2b9b2e8dd47b7 (patch)
tree: e5ee6875866335b3fe5ccc54d53227faf91a7e75 /xmlsecurity
parent: a5b84a6888deaa406786b350a0adcf9ef9020f48 (diff)
1 files changed, 17 insertions, 13 deletions
diff --git a/xmlsecurity/source/helper/xmlsignaturehelper.cxx b/xmlsecurity/source/helper/xmlsignaturehelper.cxx
index 40c0f19a8fdf..a3bb382a8ea4 100644
--- a/xmlsecurity/source/helper/xmlsignaturehelper.cxx
+++ b/xmlsecurity/source/helper/xmlsignaturehelper.cxx
@@ -369,21 +369,25 @@ bool XMLSignatureHelper::ReadAndVerifySignatureStorage(const uno::Reference<embe
                 if (!bCacheLastSignature && i == aRelationsInfo.getLength() - 1)
                     bCache = false;
 
-                if (bCache)
+                if (!bCache)
+                    continue;
+                // Store the contents of the stream as is, in case we need to write it back later.
+                xInputStream.clear();
+                xInputStream.set(xStorage->openStreamElement(it->Second, nOpenMode), uno::UNO_QUERY);
+                uno::Reference<beans::XPropertySet> xPropertySet(xInputStream, uno::UNO_QUERY);
+                if (!xPropertySet.is())
+                    continue;
+
+                sal_Int64 nSize = 0;
+                xPropertySet->getPropertyValue("Size") >>= nSize;
+                if (nSize < 0 || nSize > SAL_MAX_INT32)
                 {
-                    // Store the contents of the stream as is, in case we need to write it back later.
-                    xInputStream.clear();
-                    xInputStream.set(xStorage->openStreamElement(it->Second, nOpenMode), uno::UNO_QUERY);
-                    uno::Reference<beans::XPropertySet> xPropertySet(xInputStream, uno::UNO_QUERY);
-                    if (xPropertySet.is())
-                    {
-                        sal_Int64 nSize = 0;
-                        xPropertySet->getPropertyValue("Size") >>= nSize;
-                        uno::Sequence<sal_Int8> aData;
-                        xInputStream->readBytes(aData, nSize);
-                        mpXSecController->setSignatureBytes(aData);
-                    }
+                    SAL_WARN("xmlsecurity.helper", "bogus signature size: " << nSize);
+                    continue;
                 }
+                uno::Sequence<sal_Int8> aData;
+                xInputStream->readBytes(aData, nSize);
+                mpXSecController->setSignatureBytes(aData);
             }
         }
     }
author	Caolán McNamara <caolanm@redhat.com>	2018-08-01 09:18:16 +0100
committer	Michael Stahl <Michael.Stahl@cib.de>	2018-08-03 10:56:47 +0200
commit	8ed224599ae7985b577f0bf737b2b9b2e8dd47b7 (patch)
tree	e5ee6875866335b3fe5ccc54d53227faf91a7e75 /xmlsecurity
parent	a5b84a6888deaa406786b350a0adcf9ef9020f48 (diff)