xmlsecurity: check file header when reading PDF signature

Currently the only non-ZIP-based import filter that declares the
SUPPORTSSIGNING flag is PDF, so if we get a stream without a storage, we
assume it's PDF.

If any other non-ZIP-based format would add that flag in the future,
that would mean PDFDocument::Read() gets that as an input. That means it
makes sense to at least check the file header early in the tokenizer,
and return early when that doesn't match.

Change-Id: I8760d130c4211f37be705e03b22814825042cac8
Reviewed-on: https://gerrit.libreoffice.org/29888Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>

xmlsecurity/source/pdfio/pdfdocument.cxx

@@ -215,7 +215,17 @@ PDFDocument::PDFDocument()
 
 bool PDFDocument::Read(SvStream& rStream)
 {
-    // First look up the offset of the xref table.
+    // Check file magic.
+    std::vector<sal_Int8> aHeader(5);
+    rStream.Seek(0);
+    rStream.ReadBytes(aHeader.data(), aHeader.size());
+    if (aHeader[0] != '%' || aHeader[1] != 'P' || aHeader[2] != 'D' || aHeader[3] != 'F' || aHeader[4] != '-')
+    {
+        SAL_WARN("xmlsecurity.pdfio", "PDFDocument::Read: header mismatch");
+        return false;
+    }
+
+    // Look up the offset of the xref table.
     size_t nStartXRef = FindStartXRef(rStream);
     SAL_INFO("xmlsecurity.pdfio", "PDFDocument::Read: nStartXRef is " << nStartXRef);
     if (nStartXRef == 0)