From 1f55cee8b3d0956adc98834f7b5832e48e077ed7 Mon Sep 17 00:00:00 2001
From: Eike Hein <hein@kde.org>
Date: Fri, 24 Oct 2014 13:57:54 +0200
Subject: [PATCH 23/23] Do a bounds check on ECB blocks.
Blindly assuming they're the expected 12 chars can lead to a crash
on malformed input.
Original patch by Manuel Nickschas for Quassel, who incorporated
the original Konversation code into Quassel in 2009.
Upstream:
https://github.com/quassel/quassel/commit/8b5ecd226f9208af3074b33d3b7cf5e14f55b138
---
src/cipher.cpp | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/src/cipher.cpp b/src/cipher.cpp
index 514e390..019b0ac 100644
--- a/src/cipher.cpp
+++ b/src/cipher.cpp
@@ -353,8 +353,12 @@ namespace Konversation
}
else
{
+ // ECB Blowfish encodes in blocks of 12 chars, so anything else is malformed input
+ if ((temp.length() % 12) != 0)
+ return cipherText;
+
temp = b64ToByte(temp);
- while((temp.length() % 8) != 0) temp.append('\0');
+ while ((temp.length() % 8) != 0) temp.append('\0');
}
QCA::Direction dir = (direction) ? QCA::Encode : QCA::Decode;
@@ -362,11 +366,17 @@ namespace Konversation
QByteArray temp2 = cipher.update(QCA::MemoryRegion(temp)).toByteArray();
temp2 += cipher.final().toByteArray();
- if(!cipher.ok())
+ if (!cipher.ok())
return cipherText;
- if(direction)
+ if (direction)
+ {
+ // Sanity check
+ if ((temp2.length() % 8) != 0)
+ return cipherText;
+
temp2 = byteToB64(temp2);
+ }
return temp2;
}
--
1.9.3