Uploaded image for project: 'PDFBox'
  1. PDFBox
  2. PDFBOX-5339

A list of bugs found (70 bugs in total)

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 2.0.25, 3.0.0 PDFBox
    • 2.0.26, 3.0.0 PDFBox
    • None
    • None

    Description

      1. Unique Bugs Found
      Recently we (Zhang Cen https://github.com/occia, Huang Wenjie https://github.com/ZanderHuang and Zhang Xiaohan https://github.com/Han0nly) discovered a series of bugs in latest pdfbox (3.0.0-alpha2).
      Every bug we reported in the following is unique and reproducable. Furthermore, they have been manually analyzed and triaged in removing the duplicates.
      Due to the lack of contextual knowledge in the pdfbox library, we cannot thoroughly fix some bugs hence we look forward to any proposed plan from the developers in fixing these bugs.

      2. Bug Report and Crash Seeds
      The bug report folder can be downloaded from https://drive.google.com/drive/folders/1TMOzudQOVXPKdZ1--NyusyV7kHRA2MSE?usp=sharing
      It contains both reports and crash seeds.

      3. Test Program to Reproduce Crashes
      The test program can be downloaded from https://drive.google.com/file/d/1r0OsDC0vg8Qc-XtGg0XDKbxubaPozcBj/view?usp=sharing

      Total 70 bugs are reported in this issue.
      A full list is provided below.

      4. Folder structure

      • Level 1 (folder): exception type
      • Level 2 (folder): error location
      • Level 3 (files): POC file and report.txt including reproducing steps

      5. report.txt content:
            1. Exception type
            2. Error location
            3. Bug cause and impact
            4. Crash thread's stacks
            5. Steps to reproduce

       

      6. Bug full list (crashes under java.lang.IllegalArgumentException and IllegalStateException should be wrapped instead of using the common exception types)

      pdfbox_reported_crashes
      ├── java.lang.ArrayIndexOutOfBoundsException
      │   ├─= org.apache.fontbox.cff.CFFParser.readString--CFFParser.java-781
      │   ├─= org.apache.fontbox.cff.Type1CharString.seac--Type1CharString.java-484
      │   ├─= org.apache.fontbox.ttf.HorizontalMetricsTable.getAdvanceWidth--HorizontalMetricsTable.java-113
      │   ├─= org.apache.pdfbox.filter.CCITTFaxDecoderStream.decode2D--CCITTFaxDecoderStream.java-218
      │   └─= org.apache.pdfbox.pdfparser.PDFXrefStreamParser=ObjectNumbers.<init>--PDFXrefStreamParser.java-202
      ├── java.lang.ClassCastException
      │   ├─= org.apache.fontbox.cff.CFFParser.parseType1Dicts--CFFParser.java-765
      │   ├─= org.apache.fontbox.cmap.CMapParser.parseBeginbfrange--CMapParser.java-377
      │   ├─= org.apache.pdfbox.contentstream.operator.text.SetTextLeading.process--SetTextLeading.java-37
      │   ├─= org.apache.pdfbox.pdmodel.font.PDFont.getAverageFontWidth--PDFont.java-402
      │   ├─= org.apache.pdfbox.pdmodel.font.PDType1CFont.<init>--PDType1CFont.java-101
      │   └─= org.apache.pdfbox.util.Matrix.<init>--Matrix.java-70
      ├── java.lang.IllegalArgumentException
      │   ├─= org.apache.fontbox.cff.CFFParser=DictData=Entry.getBoolean--CFFParser.java-1247
      │   ├─= org.apache.fontbox.cff.CFFParser.readCharset--CFFParser.java-1042
      │   ├─= org.apache.fontbox.cff.CFFParser.readEncoding--CFFParser.java-808
      │   ├─= org.apache.fontbox.cff.Type1CharString.callothersubr--Type1CharString.java-383
      │   ├─= org.apache.fontbox.cff.Type1CharString.handleType1Command--Type1CharString.java-319
      │   ├─= org.apache.pdfbox.cos.COSObjectKey.<init>--COSObjectKey.java-54
      │   ├─= org.apache.pdfbox.cos.COSObjectKey.<init>--COSObjectKey.java-58
      │   ├─= org.apache.pdfbox.pdmodel.font.PDFontFactory.createDescendantFont--PDFontFactory.java-128
      │   ├─= org.apache.pdfbox.pdmodel.font.PDFontFactory.createFont--PDFontFactory.java-100
      │   ├─= org.apache.pdfbox.pdmodel.font.PDFontFactory.createFont--PDFontFactory.java-104
      │   ├─= org.apache.pdfbox.pdmodel.font.PDType1Font.<init>--PDType1Font.java-202
      │   └── org.apache.pdfbox.util.Matrix.checkFloatValues--Matrix.java-300
      ├── java.lang.IllegalStateException
      │   ├─= org.apache.fontbox.cff.CFFCharsetCID.getSIDForGID--CFFCharsetCID.java-59
      │   └─= org.apache.pdfbox.pdmodel.PDPageTree.sanitizeType--PDPageTree.java-261
      ├── java.lang.IndexOutOfBoundsException
      │   ├─= org.apache.fontbox.cff.CFFParser=DictData=Entry.getNumber--CFFParser.java-1229
      │   ├─= org.apache.fontbox.cff.Type1CharString.handleType1Command--Type1CharString.java-292
      │   ├─= org.apache.fontbox.cff.Type2CharString.handleType2Command--Type2CharString.java-146
      │   ├─= org.apache.fontbox.util.BoundingBox.<init>--BoundingBox.java-65
      │   ├─= org.apache.pdfbox.contentstream.operator.text.SetTextLeading.process--SetTextLeading.java-37
      │   └─= org.apache.pdfbox.cos.COSArray.getObject--COSArray.java-205
      ├── java.lang.NegativeArraySizeException
      │   └─= org.apache.pdfbox.pdfparser.PDFXrefStreamParser.parse--PDFXrefStreamParser.java-123
      ├── java.lang.NullPointerException
      │   ├─= org.apache.fontbox.cff.CFFParser.parseFont--CFFParser.java-486
      │   ├─= org.apache.fontbox.cff.CFFParser.readString--CFFParser.java-779
      │   ├─= org.apache.fontbox.cmap.CMap.toInt--CMap.java-207
      │   ├─= org.apache.fontbox.type1.Token.intValue--Token.java-107
      │   ├─= org.apache.fontbox.type1.Type1Parser.parseASCII--Type1Parser.java-125
      │   ├─= org.apache.fontbox.type1.Type1Parser.parseBinary--Type1Parser.java-530
      │   ├─= org.apache.fontbox.type1.Type1Parser.readEncoding--Type1Parser.java-210
      │   ├─= org.apache.fontbox.type1.Type1Parser.readOtherSubrs--Type1Parser.java-714
      │   ├─= org.apache.fontbox.type1.Type1Parser.readPostScriptWrapper--Type1Parser.java-423
      │   ├─= org.apache.fontbox.type1.Type1Parser.readProc--Type1Parser.java-458
      │   ├─= org.apache.fontbox.type1.Type1Parser.readProcVoid--Type1Parser.java-492
      │   ├─= org.apache.fontbox.type1.Type1Parser.read--Type1Parser.java-852
      │   ├─= org.apache.pdfbox.pdmodel.encryption.PDEncryption.getFilter--PDEncryption.java-159
      │   ├─? org.apache.pdfbox.pdmodel.font.PDSimpleFont.getStandard14Width--PDSimpleFont.java-327
      │   ├─= org.apache.pdfbox.pdmodel.font.PDTrueTypeFont.codeToGID--PDTrueTypeFont.java-549
      │   ├─= org.apache.pdfbox.pdmodel.font.PDType1CFont.codeToName--PDType1CFont.java-270
      │   ├─= org.apache.pdfbox.pdmodel.font.PDType1Font.codeToName--PDType1Font.java-552
      │   ├─= org.apache.pdfbox.pdmodel.font.PDType3Font.generateBoundingBox--PDType3Font.java-321
      │   ├─= org.apache.pdfbox.pdmodel.font.PDType3Font.generateBoundingBox--PDType3Font.java-334
      │   └─= org.apache.pdfbox.pdmodel.font.PDType3Font.getCharProc--PDType3Font.java-373
      ├── java.lang.NumberFormatException
      │   ├─= org.apache.fontbox.cmap.CMapParser.parseNextToken--CMapParser.java-657
      │   ├─= org.apache.fontbox.cmap.CMapParser.parseNextToken--CMapParser.java-661
      │   ├─= org.apache.fontbox.type1.Token.floatValue--Token.java-112
      │   ├─= org.apache.fontbox.type1.Token.intValue--Token.java-107
      │   └─= org.apache.fontbox.type1.Type1Lexer.tryReadNumber--Type1Lexer.java-337
      ├── java.lang.StackOverflowError
      │   ├─= org.apache.pdfbox.cos.COSDictionary.getCOSArray--COSDictionary.java-593
      │   ├─= org.apache.pdfbox.cos.COSDictionary.getDictionaryObject--COSDictionary.java-178
      │   ├─= org.apache.pdfbox.cos.COSName.equals--COSName.java-738
      │   ├─? org.apache.pdfbox.io.RandomAccessReadBuffer.read--RandomAccessReadBuffer.java-217
      │   ├─= org.apache.pdfbox.pdfparser.BaseParser.isValidUTF8--BaseParser.java-788
      │   ├─= org.apache.pdfbox.pdmodel.PDPageTree.getKids--PDPageTree.java-156
      │   ├─= org.apache.pdfbox.util.SmallMap.findKey--SmallMap.java-67
      │   └─= org.apache.pdfbox.util.SmallMap.get--SmallMap.java-126
      └── java.nio.BufferUnderflowException
          ├─= org.apache.fontbox.type1.Type1Lexer.getChar--Type1Lexer.java-93
          └─= org.apache.fontbox.type1.Type1Lexer.readCharString--Type1Lexer.java-472
          
       7. Crashes under IllegalArgumentException and IllegalStateException types

      A couple of crashes are found under IllegalArgumentException and IllegalStateException. These exceptions are caught and thrown by Pdfbox and they are not bugs but non standard way of handling exceptions.  
      It will be better to standardize it by creating an exception wrapping for the intended exceptions.

       

      Any further discussion for these vulnerabilities including fix is welcomed and look forward to hearing from you.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            Zander Huang Huang Wenjie
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment