xmlsecurity/source/xmlsec/nss/ciphercontext.cxx | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
New commits: commit c218b7eab57625a256023e82e2f77a6c3d18fe46 Author: Michael Stahl <[email protected]> AuthorDate: Thu Dec 7 15:46:59 2023 +0100 Commit: Michael Stahl <[email protected]> CommitDate: Thu Dec 7 18:01:49 2023 +0100 xmlsecurity: W3C padding max size is the block size Change-Id: I90c48aafd11deb2895d01c90764fc433a9161e07 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/160434 Tested-by: Jenkins Reviewed-by: Michael Stahl <[email protected]> diff --git a/xmlsecurity/source/xmlsec/nss/ciphercontext.cxx b/xmlsecurity/source/xmlsec/nss/ciphercontext.cxx index 9577c6d9c025..5be6eb26c6d2 100644 --- a/xmlsecurity/source/xmlsec/nss/ciphercontext.cxx +++ b/xmlsecurity/source/xmlsec/nss/ciphercontext.cxx @@ -23,6 +23,7 @@ #include <osl/diagnose.h> #include <rtl/random.h> #include <rtl/ref.hxx> +#include <sal/log.hxx> #include "ciphercontext.hxx" #include <pk11pub.h> @@ -247,7 +248,8 @@ uno::Sequence< ::sal_Int8 > SAL_CALL OCipherContext::finalizeCipherContextAndDis OSL_ENSURE( aResult.getLength() >= m_nBlockSize, "Not enough data to handle the padding!" ); sal_Int8 nBytesToRemove = aResult[aResult.getLength() - 1]; - if ( nBytesToRemove <= 0 || nBytesToRemove > aResult.getLength() ) + // see https://www.w3.org/TR/xmlenc-core1/#sec-Alg-Block + if (nBytesToRemove <= 0 || m_nBlockSize < nBytesToRemove) { m_bBroken = true; Dispose();
