From c5440d115affd3b309a3e33b79fc54f2af611c32 Mon Sep 17 00:00:00 2001
From: jedarden <github@jedarden.com>
Date: Thu, 28 May 2026 01:56:07 -0400
Subject: [PATCH] fix(pdftract-495uv): AES-128 test buffer allocation for
 PKCS#7 padding

Fixed test_aes_128_decrypt_roundtrip_with_valid_padding and two similar
tests to use the ciphertext slice returned by encrypt_padded_mut instead of
the entire buffer. The buffer is over-allocated to accommodate padding, but
only the returned slice contains valid ciphertext. Using the entire buffer
included trailing zeros that caused decryption to fail with invalid padding.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .../tests/encryption_aes_128_test.rs          | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/crates/pdftract-core/tests/encryption_aes_128_test.rs b/crates/pdftract-core/tests/encryption_aes_128_test.rs
index b5fab57..ffa6bed 100644
--- a/crates/pdftract-core/tests/encryption_aes_128_test.rs
+++ b/crates/pdftract-core/tests/encryption_aes_128_test.rs
@@ -140,14 +140,14 @@ mod tests {
         let mut data_copy = vec![0u8; plaintext.len() + 16];
         data_copy[..plaintext.len()].copy_from_slice(plaintext);
         let encryptor = Aes128CbcEnc::new(&key.into(), &iv.into());
-        encryptor
+        let ct = encryptor
             .encrypt_padded_mut::<Pkcs7>(&mut data_copy, plaintext.len())
             .unwrap();
 
-        // Prepare data: IV + ciphertext (entire buffer after encrypt_padded_mut)
-        let mut encrypted_data = Vec::with_capacity(16 + data_copy.len());
+        // Prepare data: IV + ciphertext (use the returned slice which has correct length)
+        let mut encrypted_data = Vec::with_capacity(16 + ct.len());
         encrypted_data.extend_from_slice(&iv);
-        encrypted_data.extend_from_slice(&data_copy);
+        encrypted_data.extend_from_slice(ct);
 
         // Decrypt
         let result = aes_128_decrypt(&file_key, object_number, generation, &encrypted_data);
@@ -310,14 +310,14 @@ mod tests {
         let mut data_copy = vec![0u8; plaintext.len() + 16];
         data_copy[..plaintext.len()].copy_from_slice(plaintext);
         let encryptor = Aes128CbcEnc::new(&key.into(), &iv.into());
-        encryptor
+        let ct = encryptor
             .encrypt_padded_mut::<Pkcs7>(&mut data_copy, plaintext.len())
             .unwrap();
 
         // Prepare data: IV + ciphertext
-        let mut encrypted_data = Vec::with_capacity(16 + data_copy.len());
+        let mut encrypted_data = Vec::with_capacity(16 + ct.len());
         encrypted_data.extend_from_slice(&iv);
-        encrypted_data.extend_from_slice(&data_copy);
+        encrypted_data.extend_from_slice(ct);
 
         // Decrypt
         let result = aes_128_decrypt(&file_key, object_number, generation, &encrypted_data);
@@ -352,14 +352,14 @@ mod tests {
         let mut data_copy = vec![0u8; plaintext.len() + 16];
         data_copy[..plaintext.len()].copy_from_slice(plaintext);
         let encryptor = Aes128CbcEnc::new(&key.into(), &iv.into());
-        encryptor
+        let ct = encryptor
             .encrypt_padded_mut::<Pkcs7>(&mut data_copy, plaintext.len())
             .unwrap();
 
         // Prepare data: IV + ciphertext
-        let mut encrypted_data = Vec::with_capacity(16 + data_copy.len());
+        let mut encrypted_data = Vec::with_capacity(16 + ct.len());
         encrypted_data.extend_from_slice(&iv);
-        encrypted_data.extend_from_slice(&data_copy);
+        encrypted_data.extend_from_slice(ct);
 
         // Decrypt
         let result = aes_128_decrypt(&file_key, object_number, generation, &encrypted_data);