Uploaded image for project: 'PDFBox'
  1. PDFBox
  2. PDFBOX-4622

Various exceptions in TTFParser.parse

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 1.8.16, 2.0.16
    • 1.8.17, 2.0.17, 3.0.0 PDFBox
    • FontBox
    • None
    • openjdk version "1.8.0_212"
      OpenJDK Runtime Environment (AdoptOpenJDK)(build 1.8.0_212-b03)
      OpenJDK 64-Bit Server VM (AdoptOpenJDK)(build 25.212-b03, mixed mode)

      MacOS Mojave

    Description

      TTFParser.parse can lead to various unchecked exceptions when parsing malformed inputs.

      Steps to repro

      1. Create & compile Main.java: 
        import org.apache.fontbox.ttf.TTFParser;
        
        class Main {
          public static void main(String[] args) throws Throwable {
            (new TTFParser()).parse(System.in);
          }
        }
      • Download the inputs (fontbox-exceptions.zip) and extract them.
      • For each input, run cat <input> | java -cp 'jars/*' Main to reproduce the exceptions, where `jars` is a folder containing the pdfbox jars.

      Stacktraces

      $ cat NullPtrException.HorizontalMetricsTable.read | java -cp 'jars/*' Main
      Exception in thread "main" java.lang.NullPointerException
       at org.apache.fontbox.ttf.HorizontalMetricsTable.read(HorizontalMetricsTable.java:53)
       at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353)
       at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106)
       at Main.main(Main.java:5)
      $ cat ArrayIndexOutOfBoundsException.PostScriptTable.read | java -cp 'jars/*' Main
      Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 258
       at org.apache.fontbox.ttf.PostScriptTable.read(PostScriptTable.java:137)
       at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353)
       at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106)
       at Main.main(Main.java:5)
      $ cat ArrayIndexOutOfBoundsException.NamingTable.read | java -cp 'jars/*' Main
      Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: -1674355620
       at org.apache.fontbox.ttf.MemoryTTFDataStream.read(MemoryTTFDataStream.java:102)
       at org.apache.fontbox.ttf.MemoryTTFDataStream.readUnsignedShort(MemoryTTFDataStream.java:116)
       at org.apache.fontbox.ttf.NamingTable.read(NamingTable.java:63)
       at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353)
       at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106)
       at Main.main(Main.java:5)
      $ cat ArrayIndexOutOfBoundsException.CmapSubtable.initSubtable | java -cp 'jars/*' Main
      Aug 05, 2019 4:13:54 PM org.apache.fontbox.ttf.CmapSubtable processSubtype13
      WARNING: Format 13 cmap contains an invalid glyph index
      Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: -916972
       at org.apache.fontbox.ttf.MemoryTTFDataStream.read(MemoryTTFDataStream.java:102)
       at org.apache.fontbox.ttf.MemoryTTFDataStream.readUnsignedShort(MemoryTTFDataStream.java:116)
       at org.apache.fontbox.ttf.CmapSubtable.initSubtable(CmapSubtable.java:74)
       at org.apache.fontbox.ttf.CmapTable.read(CmapTable.java:86)
       at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353)
       at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106)
       at Main.main(Main.java:5)
      $ cat ArrayIndexOutOfBoundsException.HorizontalHeaderTable.read | java -cp 'jars/*' Main
      Aug 05, 2019 4:13:54 PM org.apache.fontbox.ttf.CmapSubtable processSubtype12
      WARNING: Format 12 cmap contains an invalid glyph index
      Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: -524
       at org.apache.fontbox.ttf.MemoryTTFDataStream.read(MemoryTTFDataStream.java:102)
       at org.apache.fontbox.ttf.MemoryTTFDataStream.readSignedShort(MemoryTTFDataStream.java:134)
       at org.apache.fontbox.ttf.TTFDataStream.read32Fixed(TTFDataStream.java:50)
       at org.apache.fontbox.ttf.HorizontalHeaderTable.read(HorizontalHeaderTable.java:65)
       at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353)
       at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106)
       at Main.main(Main.java:5)
      $ cat NullPtrException.IndexToLocationTable.read | java -cp 'jars/*' Main
      Exception in thread "main" java.lang.NullPointerException
       at org.apache.fontbox.ttf.IndexToLocationTable.read(IndexToLocationTable.java:57)
       at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353)
       at org.apache.fontbox.ttf.TrueTypeFont.getTable(TrueTypeFont.java:142)
       at org.apache.fontbox.ttf.TrueTypeFont.getIndexToLocation(TrueTypeFont.java:232)
       at org.apache.fontbox.ttf.GlyphTable.read(GlyphTable.java:67)
       at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353)
       at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106)
       at Main.main(Main.java:5)
      $ cat ArrayIndexOutOfBoundsException.CmapTable.read | java -cp 'jars/*' Main
      Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: -2147483116
       at org.apache.fontbox.ttf.MemoryTTFDataStream.read(MemoryTTFDataStream.java:102)
       at org.apache.fontbox.ttf.MemoryTTFDataStream.readUnsignedShort(MemoryTTFDataStream.java:116)
       at org.apache.fontbox.ttf.CmapTable.read(CmapTable.java:75)
       at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353)
       at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106)
       at Main.main(Main.java:5)
      $ cat NullPtrException.VerticalMetricsTable.read | java -cp 'jars/*' Main
      ...
      Exception in thread "main" java.lang.NullPointerException
       at org.apache.fontbox.ttf.VerticalMetricsTable.read(VerticalMetricsTable.java:60)
       at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353)
       at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106)
       at Main.main(Main.java:5)
      $ cat NullPtrException.CmapSubtable.processSubtype13 | java -cp 'jars/*' Main
      Exception in thread "main" java.lang.NullPointerException
       at org.apache.fontbox.ttf.CmapSubtable.processSubtype13(CmapSubtable.java:319)
       at org.apache.fontbox.ttf.CmapSubtable.initSubtable(CmapSubtable.java:114)
       at org.apache.fontbox.ttf.CmapTable.read(CmapTable.java:86)
       at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353)
       at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106)
       at Main.main(Main.java:5)
      $ cat ArrayIndexOutOfBoundsException.MaximumProfileTable.read | java -cp 'jars/*' Main
      Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: -1788932292
       at org.apache.fontbox.ttf.MemoryTTFDataStream.read(MemoryTTFDataStream.java:102)
       at org.apache.fontbox.ttf.MemoryTTFDataStream.readSignedShort(MemoryTTFDataStream.java:134)
       at org.apache.fontbox.ttf.TTFDataStream.read32Fixed(TTFDataStream.java:50)
       at org.apache.fontbox.ttf.MaximumProfileTable.read(MaximumProfileTable.java:274)
       at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353)
       at org.apache.fontbox.ttf.TrueTypeFont.getTable(TrueTypeFont.java:142)
       at org.apache.fontbox.ttf.TrueTypeFont.getMaximumProfile(TrueTypeFont.java:188)
       at org.apache.fontbox.ttf.TrueTypeFont.getNumberOfGlyphs(TrueTypeFont.java:369)
       at org.apache.fontbox.ttf.IndexToLocationTable.read(IndexToLocationTable.java:53)
       at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353)
       at org.apache.fontbox.ttf.TrueTypeFont.getTable(TrueTypeFont.java:142)
       at org.apache.fontbox.ttf.TrueTypeFont.getIndexToLocation(TrueTypeFont.java:232)
       at org.apache.fontbox.ttf.GlyphTable.read(GlyphTable.java:67)
       at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353)
       at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106)
       at Main.main(Main.java:5)

      The files were generated by fuzzing and are (probably) not valid TTF files.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            tilman Tilman Hausherr
            apr Alex Rebert
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment