diff options
author | Lei Zhang <thestig@chromium.org> | 2020-01-06 23:01:45 +0000 |
---|---|---|
committer | Michael Brüning <michael.bruning@qt.io> | 2020-03-06 12:03:35 +0000 |
commit | 7b2e898f2b4626693f8902bead0b60a54d37aa27 (patch) | |
tree | 28e6b35c339f8a3c78dbd7a90097d82f7b8028e8 | |
parent | 8b524801b75089fa6a6f5d8309e4e5ed4b0bba6c (diff) | |
download | qtwebengine-chromium-7b2e898f2b4626693f8902bead0b60a54d37aa27.tar.gz |
[Backport] CVE-2020-6398 - Uninitialized use in PDFium
Manual backport of patch originally reviewed on
https://pdfium-review.googlesource.com/c/pdfium/+/63933:
M80: Avoid regenerating revision 5 and 6 encryption dictionaries.
Unlike revision 2 and 3, revision 5 and 6 encryption is not tied to the
document ID in the trailer. Thus regenerating the encryption dictionary
when the ID changes is completely unnecessary. Avoid doing this.
Unlike https://pdfium-review.googlesource.com/c/pdfium/+/63933, this
merge CL does not include the tests.
Bug: chromium:1032090
Change-Id: I7f855cd31968f28668c0cf0ded8286d17fc990ad
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
-rw-r--r-- | chromium/third_party/pdfium/core/fpdfapi/edit/cpdf_creator.cpp | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/chromium/third_party/pdfium/core/fpdfapi/edit/cpdf_creator.cpp b/chromium/third_party/pdfium/core/fpdfapi/edit/cpdf_creator.cpp index 11c0f2d089b..9706f0b3908 100644 --- a/chromium/third_party/pdfium/core/fpdfapi/edit/cpdf_creator.cpp +++ b/chromium/third_party/pdfium/core/fpdfapi/edit/cpdf_creator.cpp @@ -617,7 +617,9 @@ void CPDF_Creator::InitID() { m_pIDArray->Add(m_pIDArray->GetObjectAt(0)->Clone()); if (m_pEncryptDict) { ASSERT(m_pParser); - if (m_pEncryptDict->GetStringFor("Filter") == "Standard") { + int revision = m_pEncryptDict->GetIntegerFor("R"); + if ((revision == 2 || revision == 3) && + m_pEncryptDict->GetStringFor("Filter") == "Standard") { m_pNewEncryptDict = ToDictionary(m_pEncryptDict->Clone()); m_pEncryptDict = m_pNewEncryptDict.Get(); m_pSecurityHandler = pdfium::MakeRetain<CPDF_SecurityHandler>(); |