be safer when processing parts in AttachmentDownloadJob

Closes #4166
// FREEBIE

src/org/thoughtcrime/securesms/crypto/MasterCipher.java

@@ -17,6 +17,7 @@
  */
 package org.thoughtcrime.securesms.crypto;
 
+import android.support.annotation.NonNull;
 import android.util.Log;
 
 import org.thoughtcrime.securesms.util.Base64;
@@ -92,7 +93,7 @@ public class MasterCipher {
     }
   }
 	
-  public byte[] decryptBytes(byte[] decodedBody) throws InvalidMessageException {
+  public byte[] decryptBytes(@NonNull byte[] decodedBody) throws InvalidMessageException {
     try {
       Mac mac              = getMac(masterSecret.getMacKey());
       byte[] encryptedBody = verifyMacBody(mac, decodedBody);
@@ -103,7 +104,7 @@ public class MasterCipher {
       return encrypted;
     } catch (GeneralSecurityException ge) {
       throw new InvalidMessageException(ge);
-    }		
+    }
   }
 	
   public byte[] encryptBytes(byte[] body) {
@@ -153,7 +154,11 @@ public class MasterCipher {
     return Base64.encodeBytes(encryptedAndMacBody);
   }
 	
-  private byte[] verifyMacBody(Mac hmac, byte[] encryptedAndMac) throws InvalidMessageException {		
+  private byte[] verifyMacBody(@NonNull Mac hmac, @NonNull byte[] encryptedAndMac) throws InvalidMessageException {
+    if (encryptedAndMac.length < hmac.getMacLength()) {
+      throw new InvalidMessageException("length(encrypted body + MAC) < length(MAC)");
+    }
+
     byte[] encrypted = new byte[encryptedAndMac.length - hmac.getMacLength()];
     System.arraycopy(encryptedAndMac, 0, encrypted, 0, encrypted.length);
 		

src/org/thoughtcrime/securesms/jobs/AttachmentDownloadJob.java

@@ -15,6 +15,7 @@ import org.thoughtcrime.securesms.jobs.requirements.MasterSecretRequirement;
 import org.thoughtcrime.securesms.jobs.requirements.MediaNetworkRequirement;
 import org.thoughtcrime.securesms.notifications.MessageNotifier;
 import org.thoughtcrime.securesms.util.Util;
+import org.thoughtcrime.securesms.util.VisibleForTesting;
 import org.whispersystems.jobqueue.JobParameters;
 import org.whispersystems.jobqueue.requirements.NetworkRequirement;
 import org.whispersystems.libaxolotl.InvalidMessageException;
@@ -122,10 +123,16 @@ public class AttachmentDownloadJob extends MasterSecretJob implements Injectable
     }
   }
 
-  private TextSecureAttachmentPointer createAttachmentPointer(MasterSecret masterSecret, PduPart part)
+  @VisibleForTesting
+  TextSecureAttachmentPointer createAttachmentPointer(MasterSecret masterSecret, PduPart part)
       throws InvalidPartException
   {
-    if (part.getContentLocation() == null) throw new InvalidPartException("null content location");
+    if (part.getContentLocation() == null || part.getContentLocation().length == 0) {
+      throw new InvalidPartException("empty content id");
+    }
+    if (part.getContentDisposition() == null || part.getContentDisposition().length == 0) {
+      throw new InvalidPartException("empty encrypted key");
+    }
 
     try {
       AsymmetricMasterSecret asymmetricMasterSecret = MasterSecretUtil.getAsymmetricMasterSecret(context, masterSecret);
@@ -164,7 +171,7 @@ public class AttachmentDownloadJob extends MasterSecretJob implements Injectable
     }
   }
 
-  private static class InvalidPartException extends Exception {
+  @VisibleForTesting static class InvalidPartException extends Exception {
     public InvalidPartException(String s) {super(s);}
     public InvalidPartException(Exception e) {super(e);}
   }