diff --git a/fontbox/src/main/java/org/apache/fontbox/pfb/PfbParser.java b/fontbox/src/main/java/org/apache/fontbox/pfb/PfbParser.java index fe391e10919..bf6f7692f75 100644 --- a/fontbox/src/main/java/org/apache/fontbox/pfb/PfbParser.java +++ b/fontbox/src/main/java/org/apache/fontbox/pfb/PfbParser.java @@ -154,7 +154,7 @@ private void parsePfb(final byte[] pfb) throws IOException size += in.read() << 16; size += in.read() << 24; LOG.debug("record type: {}, segment size: {}", recordType, size); - if (size > pfb.length) + if (size < 0 || size > pfb.length) { // PDFBOX-6044: avoid potential OOM throw new IOException("record size " + size + " would be larger than the input"); diff --git a/fontbox/src/test/java/org/apache/fontbox/pfb/PfbParserTest.java b/fontbox/src/test/java/org/apache/fontbox/pfb/PfbParserTest.java index e73ed4cc9e0..8ea379eb4c7 100644 --- a/fontbox/src/test/java/org/apache/fontbox/pfb/PfbParserTest.java +++ b/fontbox/src/test/java/org/apache/fontbox/pfb/PfbParserTest.java @@ -101,4 +101,25 @@ void testEmpty() { Assertions.assertThrows(IOException.class, () -> Type1Font.createWithPFB(new byte[0])); } + + /** + * Test that a PFB with a negative size field (integer overflow) throws IOException + * instead of NegativeArraySizeException. A crafted 18-byte PFB with size bytes + * 01 00 00 FF overflows the signed int to -16777215, bypassing the upper-bound check. + */ + @Test + void testNegativeRecordSize() + { + // 18-byte crafted PFB: start marker 0x80, ASCII type 0x01, + // size field 0x01 0x00 0x00 0xFF = -16777215 as signed int + byte[] crashInput = { + (byte) 0x80, 0x01, // header + 0x01, 0x00, 0x00, (byte) 0xFF, // size: overflows to negative + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, // garbage data + (byte) 0xFF, (byte) 0xFF, (byte) 0xFF, + 0x27, 0x05, (byte) 0xF8, (byte) 0xFF, + (byte) 0xD2, 0x40 + }; + Assertions.assertThrows(IOException.class, () -> new PfbParser(crashInput)); + } }