Integer Overflow / Wraparound in _pdfioValueRead

[k00l-beanz]

Describe the bug
Hallo 👋. I have found an integer wraparound bug in pdfio-value.c; _pdfioValueRead; line 388. If v->value.binary.datalen < ivlen, the arithmetic operation will cause the len parameter passed to _pdfioCryptoAESDecrypt to overflow/underflow as size_t is typically and unsigned integer https://en.wikipedia.org/wiki/C_data_types#stddef.h.

There are a few ways to prevent this but the simplest way would be to check if v->value.binary.datalen >= ivlen (granted, I've never been a software engineer so take this with a grain of salt).

To Reproduce
The following pdf triggers the bug - bad.pdf

$ sha256sum bad.pdf
983fcdb12d77599bc0632906d5b3303e9ccacb055099c5d58fe2e4da8fe0643d  bad.pdf
$ ./pdfiototext ./bad.pdf 
Segmentation fault (core dumped)

Expected behavior
pdfiototext should be able to gracefully exit if this occurs.

System Information:

• OS / Architecture

$ cat /etc/os-release 
PRETTY_NAME="Ubuntu 22.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.3 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
$ uname -a
Linux user-VirtualBox 6.2.0-36-generic #37~22.04.1-Ubuntu SMP PREEMPT_DYNAMIC Mon Oct  9 15:34:04 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Additional context
Cheers mate 🍷

[k00l-beanz]

Follow up: In pdfio-aes.c; when _pdfioCryptoAESDecrypt is called by _pdfioValueRead, if inbuffer != outbuffer, then a memcpy will execute leading to a heap overflow.

~ k00l_beanz