Uploaded image for project: 'PDFBox'
  1. PDFBox
  2. PDFBOX-4622

Various exceptions in TTFParser.parse

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 1.8.16, 2.0.16
    • Fix Version/s: 1.8.17, 2.0.17, 3.0.0 PDFBox
    • Component/s: FontBox
    • Labels:
      None
    • Environment:
      openjdk version "1.8.0_212"
      OpenJDK Runtime Environment (AdoptOpenJDK)(build 1.8.0_212-b03)
      OpenJDK 64-Bit Server VM (AdoptOpenJDK)(build 25.212-b03, mixed mode)

      MacOS Mojave

      Description

      TTFParser.parse can lead to various unchecked exceptions when parsing malformed inputs.

      Steps to repro

      1. Create & compile Main.java: 
        import org.apache.fontbox.ttf.TTFParser;
        
        class Main {
          public static void main(String[] args) throws Throwable {
            (new TTFParser()).parse(System.in);
          }
        }
      • Download the inputs (fontbox-exceptions.zip) and extract them.
      • For each input, run cat <input> | java -cp 'jars/*' Main to reproduce the exceptions, where `jars` is a folder containing the pdfbox jars.

      Stacktraces

      $ cat NullPtrException.HorizontalMetricsTable.read | java -cp 'jars/*' Main
      Exception in thread "main" java.lang.NullPointerException
       at org.apache.fontbox.ttf.HorizontalMetricsTable.read(HorizontalMetricsTable.java:53)
       at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353)
       at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106)
       at Main.main(Main.java:5)
      $ cat ArrayIndexOutOfBoundsException.PostScriptTable.read | java -cp 'jars/*' Main
      Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 258
       at org.apache.fontbox.ttf.PostScriptTable.read(PostScriptTable.java:137)
       at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353)
       at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106)
       at Main.main(Main.java:5)
      $ cat ArrayIndexOutOfBoundsException.NamingTable.read | java -cp 'jars/*' Main
      Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: -1674355620
       at org.apache.fontbox.ttf.MemoryTTFDataStream.read(MemoryTTFDataStream.java:102)
       at org.apache.fontbox.ttf.MemoryTTFDataStream.readUnsignedShort(MemoryTTFDataStream.java:116)
       at org.apache.fontbox.ttf.NamingTable.read(NamingTable.java:63)
       at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353)
       at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106)
       at Main.main(Main.java:5)
      $ cat ArrayIndexOutOfBoundsException.CmapSubtable.initSubtable | java -cp 'jars/*' Main
      Aug 05, 2019 4:13:54 PM org.apache.fontbox.ttf.CmapSubtable processSubtype13
      WARNING: Format 13 cmap contains an invalid glyph index
      Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: -916972
       at org.apache.fontbox.ttf.MemoryTTFDataStream.read(MemoryTTFDataStream.java:102)
       at org.apache.fontbox.ttf.MemoryTTFDataStream.readUnsignedShort(MemoryTTFDataStream.java:116)
       at org.apache.fontbox.ttf.CmapSubtable.initSubtable(CmapSubtable.java:74)
       at org.apache.fontbox.ttf.CmapTable.read(CmapTable.java:86)
       at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353)
       at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106)
       at Main.main(Main.java:5)
      $ cat ArrayIndexOutOfBoundsException.HorizontalHeaderTable.read | java -cp 'jars/*' Main
      Aug 05, 2019 4:13:54 PM org.apache.fontbox.ttf.CmapSubtable processSubtype12
      WARNING: Format 12 cmap contains an invalid glyph index
      Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: -524
       at org.apache.fontbox.ttf.MemoryTTFDataStream.read(MemoryTTFDataStream.java:102)
       at org.apache.fontbox.ttf.MemoryTTFDataStream.readSignedShort(MemoryTTFDataStream.java:134)
       at org.apache.fontbox.ttf.TTFDataStream.read32Fixed(TTFDataStream.java:50)
       at org.apache.fontbox.ttf.HorizontalHeaderTable.read(HorizontalHeaderTable.java:65)
       at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353)
       at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106)
       at Main.main(Main.java:5)
      $ cat NullPtrException.IndexToLocationTable.read | java -cp 'jars/*' Main
      Exception in thread "main" java.lang.NullPointerException
       at org.apache.fontbox.ttf.IndexToLocationTable.read(IndexToLocationTable.java:57)
       at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353)
       at org.apache.fontbox.ttf.TrueTypeFont.getTable(TrueTypeFont.java:142)
       at org.apache.fontbox.ttf.TrueTypeFont.getIndexToLocation(TrueTypeFont.java:232)
       at org.apache.fontbox.ttf.GlyphTable.read(GlyphTable.java:67)
       at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353)
       at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106)
       at Main.main(Main.java:5)
      $ cat ArrayIndexOutOfBoundsException.CmapTable.read | java -cp 'jars/*' Main
      Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: -2147483116
       at org.apache.fontbox.ttf.MemoryTTFDataStream.read(MemoryTTFDataStream.java:102)
       at org.apache.fontbox.ttf.MemoryTTFDataStream.readUnsignedShort(MemoryTTFDataStream.java:116)
       at org.apache.fontbox.ttf.CmapTable.read(CmapTable.java:75)
       at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353)
       at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106)
       at Main.main(Main.java:5)
      $ cat NullPtrException.VerticalMetricsTable.read | java -cp 'jars/*' Main
      ...
      Exception in thread "main" java.lang.NullPointerException
       at org.apache.fontbox.ttf.VerticalMetricsTable.read(VerticalMetricsTable.java:60)
       at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353)
       at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106)
       at Main.main(Main.java:5)
      $ cat NullPtrException.CmapSubtable.processSubtype13 | java -cp 'jars/*' Main
      Exception in thread "main" java.lang.NullPointerException
       at org.apache.fontbox.ttf.CmapSubtable.processSubtype13(CmapSubtable.java:319)
       at org.apache.fontbox.ttf.CmapSubtable.initSubtable(CmapSubtable.java:114)
       at org.apache.fontbox.ttf.CmapTable.read(CmapTable.java:86)
       at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353)
       at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106)
       at Main.main(Main.java:5)
      $ cat ArrayIndexOutOfBoundsException.MaximumProfileTable.read | java -cp 'jars/*' Main
      Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: -1788932292
       at org.apache.fontbox.ttf.MemoryTTFDataStream.read(MemoryTTFDataStream.java:102)
       at org.apache.fontbox.ttf.MemoryTTFDataStream.readSignedShort(MemoryTTFDataStream.java:134)
       at org.apache.fontbox.ttf.TTFDataStream.read32Fixed(TTFDataStream.java:50)
       at org.apache.fontbox.ttf.MaximumProfileTable.read(MaximumProfileTable.java:274)
       at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353)
       at org.apache.fontbox.ttf.TrueTypeFont.getTable(TrueTypeFont.java:142)
       at org.apache.fontbox.ttf.TrueTypeFont.getMaximumProfile(TrueTypeFont.java:188)
       at org.apache.fontbox.ttf.TrueTypeFont.getNumberOfGlyphs(TrueTypeFont.java:369)
       at org.apache.fontbox.ttf.IndexToLocationTable.read(IndexToLocationTable.java:53)
       at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353)
       at org.apache.fontbox.ttf.TrueTypeFont.getTable(TrueTypeFont.java:142)
       at org.apache.fontbox.ttf.TrueTypeFont.getIndexToLocation(TrueTypeFont.java:232)
       at org.apache.fontbox.ttf.GlyphTable.read(GlyphTable.java:67)
       at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353)
       at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150)
       at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106)
       at Main.main(Main.java:5)

      The files were generated by fuzzing and are (probably) not valid TTF files.

        Attachments

        1. fontbox-exceptions.zip
          28 kB
          Alex Rebert

          Activity

            People

            • Assignee:
              tilman Tilman Hausherr
              Reporter:
              apr Alex Rebert
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: