Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.0.19
-
None
Description
In PDSignature.java, we have the following function:
private byte[] getConvertedContents(InputStream is) throws IOException
{
ByteArrayOutputStream byteOS = new ByteArrayOutputStream(1024);
byte[] buffer = new byte[1024];
int c;
while ((c = is.read(buffer)) != -1)
{
// Filter < and (
if(buffer[0]==0x3C || buffer[0]==0x28)
{
byteOS.write(buffer, 1, c); // ERROR: may read buffer[1024], which doesn't exist!
}
// Filter > and )
else if(buffer[c-1]==0x3E || buffer[c-1]==0x29)
{
byteOS.write(buffer, 0, c-1);
}
else
{
byteOS.write(buffer, 0, c);
}
}
is.close(); return COSString.parseHex(byteOS.toString("ISO-8859-1")).getBytes();
}
If c = 1024 (i.e. is.read() fills the buffer completely), and the first byte is 0x3C or 0x28, we try to read the 1025th byte of the buffer, and hit an IndexOutOfBoundsException:
java.lang.IndexOutOfBoundsException: Range [1, 1 + 1024) out of bounds for length 1024
at jdk.internal.util.Preconditions.outOfBounds(Preconditions.java:64) ~[?:?]
at jdk.internal.util.Preconditions.outOfBoundsCheckFromIndexSize(Preconditions.java:82) ~[?:?]
at jdk.internal.util.Preconditions.checkFromIndexSize(Preconditions.java:343) ~[?:?]
at java.util.Objects.checkFromIndexSize(Objects.java:424) ~[?:?]
at java.io.ByteArrayOutputStream.write(ByteArrayOutputStream.java:155) ~[?:?]
at org.apache.pdfbox.pdmodel.interactive.digitalsignature.PDSignature.getConvertedContents(PDSignature.java:348) ~[pdfbox-2.0.19.jar:2.0.19]
at org.apache.pdfbox.pdmodel.interactive.digitalsignature.PDSignature.getContents(PDSignature.java:335) ~[pdfbox-2.0.19.jar:2.0.19]
By changing the first byteOS.write call to this:
byteOS.write(buffer, 1, c-1);
the problem is fixed.