Uploaded image for project: 'PDFBox'
  1. PDFBox
  2. PDFBOX-4822

Off-by-one error in PDSignature.getConvertedContents()

    XMLWordPrintableJSON

    Details

      Description

      In PDSignature.java, we have the following function:

          private byte[] getConvertedContents(InputStream is) throws IOException
          {
              ByteArrayOutputStream byteOS = new ByteArrayOutputStream(1024);
              byte[] buffer = new byte[1024];
              int c;
              while ((c = is.read(buffer)) != -1)
              {
                  // Filter < and (
                  if(buffer[0]==0x3C || buffer[0]==0x28)
                  {
                      byteOS.write(buffer, 1, c); // ERROR: may read buffer[1024], which doesn't exist!
                  }
                  // Filter > and )
                  else if(buffer[c-1]==0x3E || buffer[c-1]==0x29)
                  {
                      byteOS.write(buffer, 0, c-1);
                  }
                  else
                  {
                      byteOS.write(buffer, 0, c);
                  }
              }
              is.close();        return COSString.parseHex(byteOS.toString("ISO-8859-1")).getBytes();
          }
      

       

      If c = 1024 (i.e. is.read() fills the buffer completely), and the first byte is 0x3C or 0x28, we try to read the 1025th byte of the buffer, and hit an IndexOutOfBoundsException:

      java.lang.IndexOutOfBoundsException: Range [1, 1 + 1024) out of bounds for length 1024
          at jdk.internal.util.Preconditions.outOfBounds(Preconditions.java:64) ~[?:?]
          at jdk.internal.util.Preconditions.outOfBoundsCheckFromIndexSize(Preconditions.java:82) ~[?:?]
          at jdk.internal.util.Preconditions.checkFromIndexSize(Preconditions.java:343) ~[?:?]
          at java.util.Objects.checkFromIndexSize(Objects.java:424) ~[?:?]
          at java.io.ByteArrayOutputStream.write(ByteArrayOutputStream.java:155) ~[?:?]
          at org.apache.pdfbox.pdmodel.interactive.digitalsignature.PDSignature.getConvertedContents(PDSignature.java:348) ~[pdfbox-2.0.19.jar:2.0.19]
          at org.apache.pdfbox.pdmodel.interactive.digitalsignature.PDSignature.getContents(PDSignature.java:335) ~[pdfbox-2.0.19.jar:2.0.19]

       

      By changing the first byteOS.write call to this:

                      byteOS.write(buffer, 1, c-1);
      

      the problem is fixed.

       

        Attachments

          Activity

            People

            • Assignee:
              tilman Tilman Hausherr
              Reporter:
              Googulator Gábor Stefanik
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: