-Original file line number
+Diff line change
@@ Expand Up / @@ -154,7 +154,7 @@ private void parsePfb(final byte[] pfb) throws IOException @@
                 size += in.read() << 16;
                 size += in.read() << 24;
                 LOG.debug("record type: {}, segment size: {}", recordType, size);
-                if (size > pfb.length)
+                if (size < 0 || size > pfb.length)
                 {
                     // PDFBOX-6044: avoid potential OOM
                     throw new IOException("record size " + size + " would be larger than the input");
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -101,4 +101,25 @@ void testEmpty() @@
         {
             Assertions.assertThrows(IOException.class, () -> Type1Font.createWithPFB(new byte[0]));
         }
+        /**
+         * Test that a PFB with a negative size field (integer overflow) throws IOException
+         * instead of NegativeArraySizeException. A crafted 18-byte PFB with size bytes
+         * 01 00 00 FF overflows the signed int to -16777215, bypassing the upper-bound check.
+         */
+        @Test
+        void testNegativeRecordSize()
+        {
+            // 18-byte crafted PFB: start marker 0x80, ASCII type 0x01,
+            // size field 0x01 0x00 0x00 0xFF = -16777215 as signed int
+            byte[] crashInput = {
+                (byte) 0x80, 0x01,                         // header
+x01, 0x00, 0x00, (byte) 0xFF,             // size: overflows to negative
+                (byte) 0xFF, (byte) 0xFF, (byte) 0xFF,     // garbage data
+                (byte) 0xFF, (byte) 0xFF, (byte) 0xFF,
+x27, 0x05, (byte) 0xF8, (byte) 0xFF,
+                (byte) 0xD2, 0x40
+            };
+            Assertions.assertThrows(IOException.class, () -> new PfbParser(crashInput));
+        }
     }

Fix NegativeArraySizeException in PfbParser #412

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

-Original file line number
+Diff line change
@@ Expand Up / @@ -154,7 +154,7 @@ private void parsePfb(final byte[] pfb) throws IOException @@
                 size += in.read() << 16;
                 size += in.read() << 24;
                 LOG.debug("record type: {}, segment size: {}", recordType, size);
-                if (size > pfb.length)
+                if (size < 0 || size > pfb.length)
                 {
                     // PDFBOX-6044: avoid potential OOM
                     throw new IOException("record size " + size + " would be larger than the input");
@@ Expand Down @@

-Original file line number
+Diff line change
@@ Expand Up / @@ -101,4 +101,25 @@ void testEmpty() @@
         {
             Assertions.assertThrows(IOException.class, () -> Type1Font.createWithPFB(new byte[0]));
         }
+        /**
+         * Test that a PFB with a negative size field (integer overflow) throws IOException
+         * instead of NegativeArraySizeException. A crafted 18-byte PFB with size bytes
+         * 01 00 00 FF overflows the signed int to -16777215, bypassing the upper-bound check.
+         */
+        @Test
+        void testNegativeRecordSize()
+        {
+            // 18-byte crafted PFB: start marker 0x80, ASCII type 0x01,
+            // size field 0x01 0x00 0x00 0xFF = -16777215 as signed int
+            byte[] crashInput = {
+                (byte) 0x80, 0x01,                         // header
+x01, 0x00, 0x00, (byte) 0xFF,             // size: overflows to negative
+                (byte) 0xFF, (byte) 0xFF, (byte) 0xFF,     // garbage data
+                (byte) 0xFF, (byte) 0xFF, (byte) 0xFF,
+x27, 0x05, (byte) 0xF8, (byte) 0xFF,
+                (byte) 0xD2, 0x40
+            };
+            Assertions.assertThrows(IOException.class, () -> new PfbParser(crashInput));
+        }
     }

Provide feedback