You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pdfbox.apache.org by "Sebastian Fieber (Jira)" <ji...@apache.org> on 2021/04/23 12:12:00 UTC
[jira] [Created] (PDFBOX-5175) Behaviour change in 2.0.20 due to
use of IOUtils.populateBuffer in
SecurityHandler.prepareAESInitializationVector leading to IOException for
certain PDF
Sebastian Fieber created PDFBOX-5175:
----------------------------------------
Summary: Behaviour change in 2.0.20 due to use of IOUtils.populateBuffer in SecurityHandler.prepareAESInitializationVector leading to IOException for certain PDF
Key: PDFBOX-5175
URL: https://issues.apache.org/jira/browse/PDFBOX-5175
Project: PDFBox
Issue Type: Bug
Components: Parsing
Affects Versions: 2.0.23, 2.0.21, 2.0.20
Reporter: Sebastian Fieber
We have a PDF file which we cannot share which has a cerification signature from Adobe.
Prior version 2.0.20 this PDF could be loaded and analyzed. From version 2.0.20 and newer calling the load method from PDDocument results in a IOException.
We tracked down the problem why this was not happening in 2.0.19 and found out the populateBuffer method changes the behaviour of the prepareAESInitializationVector method.
Before the code looked like this:
{code:java}
if (decrypt)
{
// read IV from stream
int ivSize = data.read(iv);
if (ivSize == -1)
{
return false;
}
if (ivSize != iv.length)
{
throw new IOException(
"AES initialization vector not fully read: only "
+ ivSize + " bytes read instead of " + iv.length);
}
{code}
if data was empty -1 was returned from the read call and the method returned false and everything went on okay. 2.0.20 introduced changes this line to:
{code:java}
int ivSize = (int) IOUtils.populateBuffer(data, iv);
if (ivSize == -1) {
return false;
}
{code}
Due to the if condition being still there we are not quite sure if this was intentional.
populateBuffer will never return -1 but anything >= 0.
So either this is unintentionally than this is a bug and the if clause should check for 0 bytes read. Or this is intentional and the if clause is obsolete as well as the boolean return value.
Here is a stacktrace (no line numbers, sorry):
{code:java}
Caused by: java.io.IOException: AES initialization vector not fully read: only 0 bytes read instead of 16
at org.apache.pdfbox@2.0.23/org.apache.pdfbox.pdmodel.encryption.SecurityHandler.prepareAESInitializationVector(Unknown Source)
at org.apache.pdfbox@2.0.23/org.apache.pdfbox.pdmodel.encryption.SecurityHandler.encryptDataAESother(Unknown Source)
at org.apache.pdfbox@2.0.23/org.apache.pdfbox.pdmodel.encryption.SecurityHandler.encryptData(Unknown Source)
at org.apache.pdfbox@2.0.23/org.apache.pdfbox.pdmodel.encryption.SecurityHandler.decryptStream(Unknown Source)
at org.apache.pdfbox@2.0.23/org.apache.pdfbox.pdfparser.COSParser.parseFileObject(Unknown Source)
at org.apache.pdfbox@2.0.23/org.apache.pdfbox.pdfparser.COSParser.parseObjectDynamically(Unknown Source)
at org.apache.pdfbox@2.0.23/org.apache.pdfbox.pdfparser.COSParser.parseObjectDynamically(Unknown Source)
at org.apache.pdfbox@2.0.23/org.apache.pdfbox.pdfparser.COSParser.parseDictObjects(Unknown Source)
at org.apache.pdfbox@2.0.23/org.apache.pdfbox.pdfparser.PDFParser.initialParse(Unknown Source)
at org.apache.pdfbox@2.0.23/org.apache.pdfbox.pdfparser.PDFParser.parse(Unknown Source)
at org.apache.pdfbox@2.0.23/org.apache.pdfbox.pdmodel.PDDocument.load(Unknown Source)
{code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: dev-help@pdfbox.apache.org