[ https://issues.apache.org/jira/browse/PDFBOX-4822?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Gábor Stefanik updated PDFBOX-4822: ----------------------------------- Description: In PDSignature.java, we have the following function: {code:java} private byte[] getConvertedContents(InputStream is) throws IOException { ByteArrayOutputStream byteOS = new ByteArrayOutputStream(1024); byte[] buffer = new byte[1024]; int c; while ((c = is.read(buffer)) != -1) { // Filter < and ( if(buffer[0]==0x3C || buffer[0]==0x28) { byteOS.write(buffer, 1, c); // ERROR: may read buffer[1024], which doesn't exist! } // Filter > and ) else if(buffer[c-1]==0x3E || buffer[c-1]==0x29) { byteOS.write(buffer, 0, c-1); } else { byteOS.write(buffer, 0, c); } } is.close(); return COSString.parseHex(byteOS.toString("ISO-8859-1")).getBytes(); } {code} If c = 1024 (i.e. is.read() fills the buffer completely), and the first byte is 0x3C or 0x28, we try to read the 1025th byte of the buffer, and hit an IndexOutOfBoundsException: {noformat} java.lang.IndexOutOfBoundsException: Range [1, 1 + 1024) out of bounds for length 1024 at jdk.internal.util.Preconditions.outOfBounds(Preconditions.java:64) ~[?:?] at jdk.internal.util.Preconditions.outOfBoundsCheckFromIndexSize(Preconditions.java:82) ~[?:?] at jdk.internal.util.Preconditions.checkFromIndexSize(Preconditions.java:343) ~[?:?] at java.util.Objects.checkFromIndexSize(Objects.java:424) ~[?:?] at java.io.ByteArrayOutputStream.write(ByteArrayOutputStream.java:155) ~[?:?] at org.apache.pdfbox.pdmodel.interactive.digitalsignature.PDSignature.getConvertedContents(PDSignature.java:348) ~[pdfbox-2.0.19.jar:2.0.19] at org.apache.pdfbox.pdmodel.interactive.digitalsignature.PDSignature.getContents(PDSignature.java:335) ~[pdfbox-2.0.19.jar:2.0.19]{noformat} By changing the first byteOS.write call to this: {code:java} byteOS.write(buffer, 1, c-1); {code} the problem is fixed. was: In PDSignature.java, we have the following function: {code:java} private byte[] getConvertedContents(InputStream is) throws IOException { ByteArrayOutputStream byteOS = new ByteArrayOutputStream(1024); byte[] buffer = new byte[1024]; int c; while ((c = is.read(buffer)) != -1) { // Filter < and ( if(buffer[0]==0x3C || buffer[0]==0x28) { byteOS.write(buffer, 1, c); // ERROR: may read buffer[1024], which doesn't exist! } // Filter > and ) else if(buffer[c-1]==0x3E || buffer[c-1]==0x29) { byteOS.write(buffer, 0, c-1); } else { byteOS.write(buffer, 0, c); } } is.close(); return COSString.parseHex(byteOS.toString("ISO-8859-1")).getBytes(); } {code} If c = 1024 (i.e. is.read() fills the buffer completely), and the first byte is 0x3C or 0x28, we try to read the 1025th byte of the buffer, and hit an IndexOutOfBoundsException: {noformat} java.lang.IndexOutOfBoundsException: Range [1, 1 + 1024) out of bounds for length 1024 at jdk.internal.util.Preconditions.outOfBounds(Preconditions.java:64) ~[?:?] at jdk.internal.util.Preconditions.outOfBoundsCheckFromIndexSize(Preconditions.java:82) ~[?:?] at jdk.internal.util.Preconditions.checkFromIndexSize(Preconditions.java:343) ~[?:?] at java.util.Objects.checkFromIndexSize(Objects.java:424) ~[?:?] at java.io.ByteArrayOutputStream.write(ByteArrayOutputStream.java:155) ~[?:?] at org.apache.pdfbox.pdmodel.interactive.digitalsignature.PDSignature.getConvertedContents(PDSignature.java:348) ~[pdfbox-2.0.19.jar:2.0.19] at org.apache.pdfbox.pdmodel.interactive.digitalsignature.PDSignature.getContents(PDSignature.java:335) ~[pdfbox-2.0.19.jar:2.0.19]{noformat} By changing the first byteOS.write call to this: {code:java} byteOS.write(buffer, 1, c-1); {code} the problem is fixed. > Off-by-one error in PDSignature.getConvertedContents() > ------------------------------------------------------ > > Key: PDFBOX-4822 > URL: https://issues.apache.org/jira/browse/PDFBOX-4822 > Project: PDFBox > Issue Type: Bug > Components: PDModel > Affects Versions: 2.0.19 > Reporter: Gábor Stefanik > Priority: Major > > In PDSignature.java, we have the following function: > {code:java} > private byte[] getConvertedContents(InputStream is) throws IOException > { > ByteArrayOutputStream byteOS = new ByteArrayOutputStream(1024); > byte[] buffer = new byte[1024]; > int c; > while ((c = is.read(buffer)) != -1) > { > // Filter < and ( > if(buffer[0]==0x3C || buffer[0]==0x28) > { > byteOS.write(buffer, 1, c); // ERROR: may read buffer[1024], > which doesn't exist! > } > // Filter > and ) > else if(buffer[c-1]==0x3E || buffer[c-1]==0x29) > { > byteOS.write(buffer, 0, c-1); > } > else > { > byteOS.write(buffer, 0, c); > } > } > is.close(); return > COSString.parseHex(byteOS.toString("ISO-8859-1")).getBytes(); > } > {code} > > If c = 1024 (i.e. is.read() fills the buffer completely), and the first byte > is 0x3C or 0x28, we try to read the 1025th byte of the buffer, and hit an > IndexOutOfBoundsException: > {noformat} > java.lang.IndexOutOfBoundsException: Range [1, 1 + 1024) out of bounds for > length 1024 > at jdk.internal.util.Preconditions.outOfBounds(Preconditions.java:64) > ~[?:?] > at > jdk.internal.util.Preconditions.outOfBoundsCheckFromIndexSize(Preconditions.java:82) > ~[?:?] > at > jdk.internal.util.Preconditions.checkFromIndexSize(Preconditions.java:343) > ~[?:?] > at java.util.Objects.checkFromIndexSize(Objects.java:424) ~[?:?] > at java.io.ByteArrayOutputStream.write(ByteArrayOutputStream.java:155) > ~[?:?] > at > org.apache.pdfbox.pdmodel.interactive.digitalsignature.PDSignature.getConvertedContents(PDSignature.java:348) > ~[pdfbox-2.0.19.jar:2.0.19] > at > org.apache.pdfbox.pdmodel.interactive.digitalsignature.PDSignature.getContents(PDSignature.java:335) > ~[pdfbox-2.0.19.jar:2.0.19]{noformat} > > By changing the first byteOS.write call to this: > {code:java} > byteOS.write(buffer, 1, c-1); > {code} > the problem is fixed. > -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org For additional commands, e-mail: dev-h...@pdfbox.apache.org