PGP decryption: ArrayIndexOutOfBoundsException from ArmoredInputStream (when fed with random bytes) #389
Description
Hello,
if feeding malformed ASCII-armored data to PGPObjectFactory I would expect to get a PGPException.
But application of the accompanied file (please unzip it first; the file itself contains random bytes) provokes an ArrayIndexOutOfBoundsException from ArmoredInputStream!
I've written this test code to demonstrate it:
@Test
public void bouncyCastleIssue() throws IOException {
final File testFile = new File("./ArrayIndexOutOfBoundsException.test").getCanonicalFile();
try (final InputStream streamOfTestFile = new FileInputStream(testFile)) {
try (final InputStream decoderStreamOfTestFile = PGPUtil.getDecoderStream(streamOfTestFile)) {
final PGPObjectFactory pgpObjectFactoryOfTestFile = new PGPObjectFactory(
decoderStreamOfTestFile, new JcaKeyFingerprintCalculator());
System.out.println(pgpObjectFactoryOfTestFile.nextObject()); // <-- HERE
}
}
}
It yields
java.lang.ArrayIndexOutOfBoundsException: 151
at org.bouncycastle.bcpg.ArmoredInputStream.decode(Unknown Source)
at org.bouncycastle.bcpg.ArmoredInputStream.read(Unknown Source)
at org.bouncycastle.bcpg.BCPGInputStream.nextPacketTag(Unknown Source)
at org.bouncycastle.openpgp.PGPObjectFactory.nextObject(Unknown Source)
[...]
Some background info:
A customer forgets to encrypt and sign a file he uploads to our server, he simply delivers a gzipped-only file.
This provokes the ArrayIndexOutOfBoundsException. I'm not able to provide this file ... it's simply to large (more than 5 GB) and contains confidential information.
So I've tried to reproduce the problem with random bytes. Most of the time I receive PGPException, but sometimes ArrayIndexOutOfBoundsException.
Regards
Christian
ArrayIndexOutOfBoundsException.zip