Avoid a crash decrypting a 16byte value #561
Merged
+34
−16
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
These two decryption classes assume that the input string:
* has a bytesize that is a multiple of 16
* is at least 32 bytes long
I've had very few reports of errors decrypting PDFs so I guess those assumptions hold
true for the majority of PDFs in the wild. In the specific case of a 16 byte input, both
these classes would throw an exception from OpenSSL:
OpenSSL::Cipher#final': wrong final block length (OpenSSL::Cipher::CipherError)
First reported in #560
I'd love to have some tests for these, but generating the input data of different
lengths will take some time. In the interim, I'll land the fix.
yob
force-pushed
the
avoid-crash-on-16byte-encrypted-value
branch
from
4c8e36c to
a228aca
Compare
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this pull request
Aug 14, 2025
2.15.0 (2025-08-13) * Overhaul sorbet types, moving from an external RBI file to inline comments in RBS syntax - multiple PRs, but mainly yob/pdf-reader#562 - See https://railsatscale.com/2025-04-23-rbs-support-for-sorbet/ - No impact expected for most users, but projects that use sorbet may find subtle changes in the RBI file that is shipped with the gem * Relax version requirements for dependency afm, allow 1.x (yob/pdf-reader#557) * Improve text positioning logic in some PDFs (yob/pdf-reader#554) * Multiple fixes for encrypted files - Some files with passwords > 32 bytes long (yob/pdf-reader#555) - Some files that contain cipher text with a 16 byte IV and no further blocks (yob/pdf-reader#561) - Some files that encrypted data with no padding (yob/pdf-reader#564) * Add jruby 10 to CI matrix (yob/pdf-reader#552)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
These two decryption classes assume that the input string:
I've had very few reports of errors decrypting PDFs so I guess those assumptions hold true for the majority of PDFs in the wild. However in the specific case of a 16 byte input, both these classes would throw an exception from OpenSSL:
First reported in #560 by @gdzevo.
I'd love to have some tests for these, but generating the input data of different lengths will take some time. In the interim, I'll land the fix.