Author: tilman
Date: Thu Sep 11 14:02:09 2025
New Revision: 1928343
Log:
PDFBOX-6066: early return when unplausible data
Modified:
pdfbox/branches/3.0/fontbox/src/main/java/org/apache/fontbox/ttf/GlyphSubstitutionTable.java
Modified:
pdfbox/branches/3.0/fontbox/src/main/java/org/apache/fontbox/ttf/GlyphSubstitutionTable.java
==============================================================================
---
pdfbox/branches/3.0/fontbox/src/main/java/org/apache/fontbox/ttf/GlyphSubstitutionTable.java
Thu Sep 11 12:45:02 2025 (r1928342)
+++
pdfbox/branches/3.0/fontbox/src/main/java/org/apache/fontbox/ttf/GlyphSubstitutionTable.java
Thu Sep 11 14:02:09 2025 (r1928343)
@@ -141,6 +141,14 @@ public class GlyphSubstitutionTable exte
{
scriptTags[i] = data.readString(4);
scriptOffsets[i] = data.readUnsignedShort();
+ if (scriptOffsets[i] < data.getCurrentPosition() - offset)
+ {
+ // can't be before the current position
+ LOG.error("scriptOffsets[" + i + "]: " + scriptOffsets[i] +
+ " implausible: data.getCurrentPosition() - offset = " +
+ (data.getCurrentPosition() - offset));
+ return Collections.unmodifiableMap(resultScriptList);
+ }
}
for (int i = 0; i < scriptCount; i++)
{
@@ -160,15 +168,23 @@ public class GlyphSubstitutionTable exte
for (int i = 0; i < langSysCount; i++)
{
langSysTags[i] = data.readString(4);
- if (i > 0 && langSysTags[i].compareTo(langSysTags[i-1]) <= 0)
+ langSysOffsets[i] = data.readUnsignedShort();
+ if (langSysOffsets[i] < data.getCurrentPosition() - offset)
+ {
+ // can't be before the current position
+ LOG.error("langSysOffsets[" + i + "]: " + langSysOffsets[i] +
+ " implausible: data.getCurrentPosition() - offset = " +
+ (data.getCurrentPosition() - offset));
+ return new ScriptTable(null, new LinkedHashMap<>());
+ }
+ if (i > 0 && langSysTags[i].compareTo(langSysTags[i-1]) < 0)
{
// PDFBOX-4489: catch corrupt file
//
https://docs.microsoft.com/en-us/typography/opentype/spec/chapter2#slTbl_sRec
LOG.error("LangSysRecords not alphabetically sorted by LangSys
tag: " +
- langSysTags[i] + " <= " + langSysTags[i - 1]);
+ langSysTags[i] + " < " + langSysTags[i - 1]);
return new ScriptTable(null, new LinkedHashMap<>());
}
- langSysOffsets[i] = data.readUnsignedShort();
}
LangSysTable defaultLangSysTable = null;
@@ -329,10 +345,12 @@ public class GlyphSubstitutionTable exte
if (subTableOffsets[i] == 0)
{
LOG.error("subTableOffsets[" + i + "] is 0 at offset " +
(data.getCurrentPosition() - 2));
+ return new LookupTable(lookupType, lookupFlag, 0, new
LookupSubTable[0]);
}
- else if (offset + subTableOffsets[i] > data.getOriginalDataSize())
+ if (offset + subTableOffsets[i] > data.getOriginalDataSize())
{
LOG.error((offset + subTableOffsets[i]) + " > " +
data.getOriginalDataSize());
+ return new LookupTable(lookupType, lookupFlag, 0, new
LookupSubTable[0]);
}
}
