You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@pdfbox.apache.org by "Daniel Gredler (Jira)" <ji...@apache.org> on 2019/10/12 18:38:00 UTC
[jira] [Updated] (PDFBOX-4670) ArrayIndexOutOfBoundsExceptions
thrown parsing malformed TTF files
[ https://issues.apache.org/jira/browse/PDFBOX-4670?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Gredler updated PDFBOX-4670:
-----------------------------------
Description:
I ran some fuzz tests on {{TTFParser}} in order to check the behavior of FontBox with respect to untrusted TTF files. In general the results seem good (e.g. no {{OutOfMemoryError}}), but there are a few instances of {{ArrayIndexOutOfBoundsException}} being thrown.
I've attached a zip file containing the findings (one .trace file and one .ttf file per error), as well as a patch containing the fuzzer used to find these issues. It uses the TTF files in the {{src/test/resources/ttf}} directory, mutates them randomly, and then tries to parse them. Details of any unexpected exceptions are saved to the {{target/fuzz-failures}} directory. I ran 100k tests against each file (takes 5 to 10 minutes), but the run size is customizable.
was:
I ran some fuzz tests on {{TTFParser}} in order to check the behavior of FontBox with respect to untrusted TTF files. In general the results seem good (e.g. no {{OutOfMemoryError}}s), but there are a few instances of {{ArrayIndexOutOfBoundsException}}s being thrown.
I've attached a zip file containing the findings (one .trace file and one .ttf file per error), as well as a patch containing the fuzzer used to find these issues. It uses the TTF files in the {{src/test/resources/ttf}} directory, mutates them randomly, and then tries to parse them. Details of any unexpected exceptions are saved to the {{target/fuzz-failures}} directory. I ran 100k tests against each file (takes 5 to 10 minutes), but the run size is customizable.
> ArrayIndexOutOfBoundsExceptions thrown parsing malformed TTF files
> ------------------------------------------------------------------
>
> Key: PDFBOX-4670
> URL: https://issues.apache.org/jira/browse/PDFBOX-4670
> Project: PDFBox
> Issue Type: Bug
> Components: FontBox
> Affects Versions: 2.0.17
> Reporter: Daniel Gredler
> Priority: Minor
> Attachments: fontbox-fuzzing.diff, fuzz-failures.zip
>
>
> I ran some fuzz tests on {{TTFParser}} in order to check the behavior of FontBox with respect to untrusted TTF files. In general the results seem good (e.g. no {{OutOfMemoryError}}), but there are a few instances of {{ArrayIndexOutOfBoundsException}} being thrown.
> I've attached a zip file containing the findings (one .trace file and one .ttf file per error), as well as a patch containing the fuzzer used to find these issues. It uses the TTF files in the {{src/test/resources/ttf}} directory, mutates them randomly, and then tries to parse them. Details of any unexpected exceptions are saved to the {{target/fuzz-failures}} directory. I ran 100k tests against each file (takes 5 to 10 minutes), but the run size is customizable.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@pdfbox.apache.org
For additional commands, e-mail: dev-help@pdfbox.apache.org