From 951cffeb2cbff4e179043033b5ac7f5eb764d6dc Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Fri, 12 Sep 2008 12:05:53 +0200
Subject: Make sure DecryptAESState::bufIdx is never bigger than 16, otherwise
 we crash

I am not sure this is the correct fix, but fixes crash on files of bugs 13972, 16092 and 17523 and they seem to work ok
---
 poppler/Decrypt.cc | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'poppler/Decrypt.cc')

diff --git a/poppler/Decrypt.cc b/poppler/Decrypt.cc
index d9f14925..50f97bd2 100644
--- a/poppler/Decrypt.cc
+++ b/poppler/Decrypt.cc
@@ -30,6 +30,7 @@
 #include <string.h>
 #include "goo/gmem.h"
 #include "Decrypt.h"
+#include "Error.h"
 
 static void rc4InitKey(Guchar *key, int keyLen, Guchar *state);
 static Guchar rc4DecryptByte(Guchar *state, Guchar *x, Guchar *y, Guchar c);
@@ -614,6 +615,11 @@ static void aesDecryptBlock(DecryptAESState *s, Guchar *in, GBool last) {
       s->buf[i] = s->buf[i-n];
     }
     s->bufIdx = n;
+    if (n > 16)
+    {
+      error(-1, "Reducing bufIdx from %d to 16 to not crash", n);
+      s->bufIdx = 16;
+    }
   }
 }
 
-- 
cgit v1.2.3