Skip to content

Fix NegativeArraySizeException in PfbParser#412

Closed
OwenSanzas wants to merge 1 commit intoapache:trunkfrom
OwenSanzas:fix/negative-array-size-PfbParser
Closed

Fix NegativeArraySizeException in PfbParser#412
OwenSanzas wants to merge 1 commit intoapache:trunkfrom
OwenSanzas:fix/negative-array-size-PfbParser

Conversation

@OwenSanzas
Copy link

@OwenSanzas OwenSanzas commented Jan 30, 2026

NegativeArraySizeException in PfbParser due to Integer Overflow

Summary

PfbParser in Apache PDFBox's fontbox component reads a 4-byte size field as a signed integer without validating for negative values. When processing a malformed PFB font, integer overflow causes a negative size value, leading to NegativeArraySizeException and application crash.

Type: Integer Overflow (CWE-190)
Severity: Medium (CVSS ~5.5)
Impact: Denial of Service (application crash)
Affected Component: fontbox/src/main/java/org/apache/fontbox/pfb/PfbParser.java:162

Root Cause

Vulnerable Code (PfbParser.java:152-162)

int size = in.read();
size += in.read() << 8;
size += in.read() << 16;
size += in.read() << 24;          // signed integer overflow
LOG.debug("record type: {}, segment size: {}", recordType, size);
if (size > pfb.length)            // only checks upper bound
{
    // PDFBOX-6044: avoid potential OOM
    throw new IOException("record size " + size + " would be larger than the input");
}
byte[] ar = new byte[size];       // line 162: CRASH with negative size

When the 4th byte of the size field is >= 0x80, Java's signed integer arithmetic causes overflow to negative. The PDFBOX-6044 bounds check size > pfb.length only validates the upper bound — negative values pass through and crash at array allocation.

PoC

Trigger file

A crafted malicious_pfb.pdf with an embedded Type1 font containing an 18-byte PFB payload with size field 01 00 00 FF that overflows to -16777215.

How to generate crash.bin

echo -n "gAEBAAD/////////JwX4/9JA" | base64 -d > crash.bin

Hex structure (18 bytes):

80 01 01 00 00 ff ff ff ff ff ff ff 27 05 f8 ff d2 40
  • 0x80 — Start marker
  • 0x01 — ASCII segment type
  • 01 00 00 FF — Size field (little-endian), overflows to -16777215
  • Rest — Garbage data

How to generate malicious_pfb.pdf

python3 create_malicious_pdf_pfb.py

Trigger Method 1: Official pdfbox-app CLI

java -jar pdfbox-app-4.0.0-SNAPSHOT.jar export:text -i malicious_pfb.pdf -o output.txt

Output:

java.lang.NegativeArraySizeException: -16777215
	at org.apache.fontbox.pfb.PfbParser.parsePfb(PfbParser.java:162)
	at org.apache.fontbox.pfb.PfbParser.<init>(PfbParser.java:112)
	at org.apache.fontbox.type1.Type1Font.createWithPFB(Type1Font.java:69)
	at org.apache.pdfbox.pdmodel.font.PDType1Font.<init>(PDType1Font.java:227)
	at org.apache.pdfbox.pdmodel.font.PDFontFactory.createFont(PDFontFactory.java:140)
	at org.apache.pdfbox.pdmodel.PDResources.getFont(PDResources.java:170)

Note: NegativeArraySizeException is a RuntimeException, not caught by PDType1Font which only catches IOException and DamagedFontException.

Trigger Method 2: Direct API

import org.apache.fontbox.pfb.PfbParser;
import java.util.Base64;

public class Reproduce {
    public static void main(String[] args) throws Exception {
        byte[] crash = Base64.getDecoder().decode("gAEBAAD/////////JwX4/9JA");
        new PfbParser(crash);  // NegativeArraySizeException: -16777215
    }
}

@OwenSanzas
Fix NegativeArraySizeException in PfbParser
e8fb779 
Add lower-bound check for negative size values from integer overflow
in the PFB record size field. Extends the PDFBOX-6044 fix which only
checked the upper bound.
asf-gitbox-commits pushed a commit that referenced this pull request Jan 30, 2026
@THausherr
PDFBOX-5660: avoid NegativeArraySizeException, as suggested by Ze She…
410b6ee 
…ng; closes #412

git-svn-id: https://svn.apache.org/repos/asf/pdfbox/branches/3.0@1931622 13f79535-47bb-0310-9956-ffa450edef68
@THausherr
Copy link
Contributor

THausherr commented Feb 1, 2026

Thank you; for some reason asfgit didn't close but it has been committed to the trunk, 3.0 and 2.0. Please close the PR yourself.

@OwenSanzas
Copy link
Author

OwenSanzas commented Feb 1, 2026

@THausherr Thanks for the quick fix across all three branches!

One small request — could you leave a brief acknowledgment of our team (Team FuzzingBrain, O2Lab, Texas A&M University) in this thread or send to zesheng@tamu.edu? This kind of upstream recognition helps with our research funding. Thank you!

@OwenSanzas OwenSanzas closed this Feb 1, 2026
@THausherr
Copy link
Contributor

THausherr commented Feb 1, 2026

Thank you Team FuzzingBrain, O2Lab, Texas A&M University!

@OwenSanzas
Copy link
Author

OwenSanzas commented Feb 1, 2026

Thanks a lot! You're the hero!

asf-gitbox-commits pushed a commit that referenced this pull request Feb 2, 2026
@THausherr
PDFBOX-5660: avoid NegativeArraySizeException, as suggested by Ze She…
547d2bd 
…ng; closes #412

git-svn-id: https://svn.apache.org/repos/asf/pdfbox/branches/2.0@1931623 13f79535-47bb-0310-9956-ffa450edef68
asf-gitbox-commits pushed a commit that referenced this pull request Feb 2, 2026
@THausherr
PDFBOX-5660: avoid NegativeArraySizeException, as suggested by Ze She…
205b190 
…ng; closes #412

git-svn-id: https://svn.apache.org/repos/asf/pdfbox/trunk@1931624 13f79535-47bb-0310-9956-ffa450edef68
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@OwenSanzas @THausherr