[PDFBOX-4626] ArrayIndexOutOfBounds exceptions in CmapSubtable parsing - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 2.0.16, 3.0.0 PDFBox
Fix Version/s: 2.0.17, 3.0.0 PDFBox
Component/s: FontBox
Labels:
None
Environment:
openjdk version "1.8.0_212"
OpenJDK Runtime Environment (AdoptOpenJDK)(build 1.8.0_212-b03)
OpenJDK 64-Bit Server VM (AdoptOpenJDK)(build 25.212-b03, mixed mode)

MacOS Mojave

Description

TTFParser.parse can lead to ArrayIndexOutOfBounds exceptions when parsing malformed inputs.

Steps to repro

Create & compile Main.java:

import org.apache.fontbox.ttf.TTFParser;

class Main {
  public static void main(String[] args) throws Throwable {
    (new TTFParser()).parse(System.in);
  }
}

Download the attached inputs and extract them.
For each input, run cat <input> | java -cp 'jars/*' Main to reproduce the exceptions, where `jars` is a folder containing the pdfbox jars.

Stacktraces

$ cat ArrayIndexOutOfBoundsException.CmapSubtable.processSubtype13.320 | java -cp 'jars/*' Main
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 0
at org.apache.fontbox.ttf.CmapSubtable.processSubtype13(CmapSubtable.java:320)
at org.apache.fontbox.ttf.CmapSubtable.initSubtable(CmapSubtable.java:114)
at org.apache.fontbox.ttf.CmapTable.read(CmapTable.java:86)
at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:377)
at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173)
at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150)
at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106)
at Main.main(Main.java:5)

$ cat ArrayIndexOutOfBoundsException.CmapSubtable.processSubtype8.192 | java -cp 'jars/*' Main
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 0
at org.apache.fontbox.ttf.CmapSubtable.processSubtype8(CmapSubtable.java:192)
at org.apache.fontbox.ttf.CmapSubtable.initSubtable(CmapSubtable.java:105)
at org.apache.fontbox.ttf.CmapTable.read(CmapTable.java:86)
at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:377)
at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173)
at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150)
at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106)
at Main.main(Main.java:5)

$ cat ArrayIndexOutOfBoundsException.CmapSubtable.processSubtype8.167 | java -cp 'jars/*' Main
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 8192
at org.apache.fontbox.ttf.CmapSubtable.processSubtype8(CmapSubtable.java:167)
at org.apache.fontbox.ttf.CmapSubtable.initSubtable(CmapSubtable.java:105)
at org.apache.fontbox.ttf.CmapTable.read(CmapTable.java:86)
at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:377)
at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173)
at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150)
at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106)
at Main.main(Main.java:5)

The files were generated by fuzzing and are (probably) not valid TTF files. This is a follow-up to ~~PDFBOX-4622~~. I fuzzed fontbox again after applying the patch from that issue (revision https://svn.apache.org/repos/asf/pdfbox/trunk@1864677).

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

fontbox-exceptions-2.zip
08/Aug/19 20:39
3 kB
Alex Rebert

Activity

People

Assignee:: Tilman Hausherr

Reporter:: Alex Rebert

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 08/Aug/19 20:43

Updated:: 30/Jun/20 06:13

Resolved:: 09/Aug/19 04:39