1 files changed, 8 insertions, 2 deletions
diff --git a/crypto/src/openpgp/PgpSecretKey.cs b/crypto/src/openpgp/PgpSecretKey.cs
index b3986073d..01cceadbb 100644
--- a/crypto/src/openpgp/PgpSecretKey.cs
+++ b/crypto/src/openpgp/PgpSecretKey.cs
@@ -536,12 +536,15 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp
for (int i = 0; i != 4; i++)
{
- int encLen = (((encData[pos] << 8) | (encData[pos + 1] & 0xff)) + 7) / 8;
+ int encLen = ((((encData[pos] & 0xff) << 8) | (encData[pos + 1] & 0xff)) + 7) / 8;
data[pos] = encData[pos];
data[pos + 1] = encData[pos + 1];
pos += 2;
+ if (encLen > (encData.Length - pos))
+ throw new PgpException("out of range encLen found in encData");
+
byte[] tmp = RecoverKeyData(encAlgorithm, "/CFB/NoPadding", key, iv, encData, pos, encLen);
Array.Copy(tmp, 0, data, pos, encLen);
pos += encLen;
@@ -984,11 +987,14 @@ namespace Org.BouncyCastle.Bcpg.OpenPgp
int pos = 0;
for (int i = 0; i != 4; i++)
{
- int encLen = (((rawKeyData[pos] << 8) | (rawKeyData[pos + 1] & 0xff)) + 7) / 8;
+ int encLen = ((((rawKeyData[pos] & 0xff) << 8) | (rawKeyData[pos + 1] & 0xff)) + 7) / 8;
keyData[pos] = rawKeyData[pos];
keyData[pos + 1] = rawKeyData[pos + 1];
+ if (encLen > (rawKeyData.Length - (pos + 2)))
+ throw new PgpException("out of range encLen found in rawKeyData");
+
byte[] tmp;
if (i == 0)
{
|
