You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pdfbox.apache.org by "Gábor Stefanik (Jira)" <ji...@apache.org> on 2020/04/30 17:51:00 UTC
[jira] [Updated] (PDFBOX-4822) Off-by-one error in
PDSignature.getConvertedContents()
[ https://issues.apache.org/jira/browse/PDFBOX-4822?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gábor Stefanik updated PDFBOX-4822:
-----------------------------------
Description:
In PDSignature.java, we have the following function:
{code:java}
private byte[] getConvertedContents(InputStream is) throws IOException
{
ByteArrayOutputStream byteOS = new ByteArrayOutputStream(1024);
byte[] buffer = new byte[1024];
int c;
while ((c = is.read(buffer)) != -1)
{
// Filter < and (
if(buffer[0]==0x3C || buffer[0]==0x28)
{
byteOS.write(buffer, 1, c); // ERROR: may read buffer[1024], which doesn't exist!
}
// Filter > and )
else if(buffer[c-1]==0x3E || buffer[c-1]==0x29)
{
byteOS.write(buffer, 0, c-1);
}
else
{
byteOS.write(buffer, 0, c);
}
}
is.close(); return COSString.parseHex(byteOS.toString("ISO-8859-1")).getBytes();
}
{code}
If c = 1024 (i.e. is.read() fills the buffer completely), and the first byte is 0x3C or 0x28, we try to read the 1025th byte of the buffer, and hit an IndexOutOfBoundsException:
{noformat}
java.lang.IndexOutOfBoundsException: Range [1, 1 + 1024) out of bounds for length 1024
at jdk.internal.util.Preconditions.outOfBounds(Preconditions.java:64) ~[?:?]
at jdk.internal.util.Preconditions.outOfBoundsCheckFromIndexSize(Preconditions.java:82) ~[?:?]
at jdk.internal.util.Preconditions.checkFromIndexSize(Preconditions.java:343) ~[?:?]
at java.util.Objects.checkFromIndexSize(Objects.java:424) ~[?:?]
at java.io.ByteArrayOutputStream.write(ByteArrayOutputStream.java:155) ~[?:?]
at org.apache.pdfbox.pdmodel.interactive.digitalsignature.PDSignature.getConvertedContents(PDSignature.java:348) ~[pdfbox-2.0.19.jar:2.0.19]
at org.apache.pdfbox.pdmodel.interactive.digitalsignature.PDSignature.getContents(PDSignature.java:335) ~[pdfbox-2.0.19.jar:2.0.19]{noformat}
By changing the first byteOS.write call to this:
{code:java}
byteOS.write(buffer, 1, c-1);
{code}
the problem is fixed.
was:
In PDSignature.java, we have the following function:
{code:java}
private byte[] getConvertedContents(InputStream is) throws IOException
{
ByteArrayOutputStream byteOS = new ByteArrayOutputStream(1024);
byte[] buffer = new byte[1024];
int c;
while ((c = is.read(buffer)) != -1)
{
// Filter < and (
if(buffer[0]==0x3C || buffer[0]==0x28)
{
byteOS.write(buffer, 1, c); // ERROR: may read buffer[1024], which doesn't exist!
}
// Filter > and )
else if(buffer[c-1]==0x3E || buffer[c-1]==0x29)
{
byteOS.write(buffer, 0, c-1);
}
else
{
byteOS.write(buffer, 0, c);
}
}
is.close(); return COSString.parseHex(byteOS.toString("ISO-8859-1")).getBytes();
}
{code}
If c = 1024 (i.e. is.read() fills the buffer completely), and the first byte is 0x3C or 0x28, we try to read the 1025th byte of the buffer, and hit an IndexOutOfBoundsException:
{noformat}
java.lang.IndexOutOfBoundsException: Range [1, 1 + 1024) out of bounds for length 1024
at jdk.internal.util.Preconditions.outOfBounds(Preconditions.java:64) ~[?:?]
at jdk.internal.util.Preconditions.outOfBoundsCheckFromIndexSize(Preconditions.java:82) ~[?:?]
at jdk.internal.util.Preconditions.checkFromIndexSize(Preconditions.java:343) ~[?:?]
at java.util.Objects.checkFromIndexSize(Objects.java:424) ~[?:?]
at java.io.ByteArrayOutputStream.write(ByteArrayOutputStream.java:155) ~[?:?]
at org.apache.pdfbox.pdmodel.interactive.digitalsignature.PDSignature.getConvertedContents(PDSignature.java:348) ~[pdfbox-2.0.19.jar:2.0.19]
at org.apache.pdfbox.pdmodel.interactive.digitalsignature.PDSignature.getContents(PDSignature.java:335) ~[pdfbox-2.0.19.jar:2.0.19]{noformat}
By changing the first byteOS.write call to this:
{code:java}
byteOS.write(buffer, 1, c-1);
{code}
the problem is fixed.
> Off-by-one error in PDSignature.getConvertedContents()
> ------------------------------------------------------
>
> Key: PDFBOX-4822
> URL: https://issues.apache.org/jira/browse/PDFBOX-4822
> Project: PDFBox
> Issue Type: Bug
> Components: PDModel
> Affects Versions: 2.0.19
> Reporter: Gábor Stefanik
> Priority: Major
>
> In PDSignature.java, we have the following function:
> {code:java}
> private byte[] getConvertedContents(InputStream is) throws IOException
> {
> ByteArrayOutputStream byteOS = new ByteArrayOutputStream(1024);
> byte[] buffer = new byte[1024];
> int c;
> while ((c = is.read(buffer)) != -1)
> {
> // Filter < and (
> if(buffer[0]==0x3C || buffer[0]==0x28)
> {
> byteOS.write(buffer, 1, c); // ERROR: may read buffer[1024], which doesn't exist!
> }
> // Filter > and )
> else if(buffer[c-1]==0x3E || buffer[c-1]==0x29)
> {
> byteOS.write(buffer, 0, c-1);
> }
> else
> {
> byteOS.write(buffer, 0, c);
> }
> }
> is.close(); return COSString.parseHex(byteOS.toString("ISO-8859-1")).getBytes();
> }
> {code}
>
> If c = 1024 (i.e. is.read() fills the buffer completely), and the first byte is 0x3C or 0x28, we try to read the 1025th byte of the buffer, and hit an IndexOutOfBoundsException:
> {noformat}
> java.lang.IndexOutOfBoundsException: Range [1, 1 + 1024) out of bounds for length 1024
> at jdk.internal.util.Preconditions.outOfBounds(Preconditions.java:64) ~[?:?]
> at jdk.internal.util.Preconditions.outOfBoundsCheckFromIndexSize(Preconditions.java:82) ~[?:?]
> at jdk.internal.util.Preconditions.checkFromIndexSize(Preconditions.java:343) ~[?:?]
> at java.util.Objects.checkFromIndexSize(Objects.java:424) ~[?:?]
> at java.io.ByteArrayOutputStream.write(ByteArrayOutputStream.java:155) ~[?:?]
> at org.apache.pdfbox.pdmodel.interactive.digitalsignature.PDSignature.getConvertedContents(PDSignature.java:348) ~[pdfbox-2.0.19.jar:2.0.19]
> at org.apache.pdfbox.pdmodel.interactive.digitalsignature.PDSignature.getContents(PDSignature.java:335) ~[pdfbox-2.0.19.jar:2.0.19]{noformat}
>
> By changing the first byteOS.write call to this:
> {code:java}
> byteOS.write(buffer, 1, c-1);
> {code}
> the problem is fixed.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: dev-help@pdfbox.apache.org