svn commit: r1931622 - in pdfbox/branches/3.0/fontbox/src: main/java/org/apache/fontbox/pfb test/java/org/apache/fontbox/pfb

Fri, 30 Jan 2026 12:22:20 -0800 

Author: tilman
Date: Fri Jan 30 20:22:08 2026
New Revision: 1931622

Log:
PDFBOX-5660: avoid NegativeArraySizeException, as suggested by Ze Sheng; closes 
#412

Modified:
   
pdfbox/branches/3.0/fontbox/src/main/java/org/apache/fontbox/pfb/PfbParser.java
   
pdfbox/branches/3.0/fontbox/src/test/java/org/apache/fontbox/pfb/PfbParserTest.java

Modified: 
pdfbox/branches/3.0/fontbox/src/main/java/org/apache/fontbox/pfb/PfbParser.java
==============================================================================
--- 
pdfbox/branches/3.0/fontbox/src/main/java/org/apache/fontbox/pfb/PfbParser.java 
    Fri Jan 30 20:03:07 2026        (r1931621)
+++ 
pdfbox/branches/3.0/fontbox/src/main/java/org/apache/fontbox/pfb/PfbParser.java 
    Fri Jan 30 20:22:08 2026        (r1931622)
@@ -163,6 +163,10 @@ public class PfbParser
             {
                 LOG.debug("record type: " + recordType + ", segment size: " + 
size);
             }
+            if (size < 0)
+            {
+                throw new IOException("record size " + size + " is negative");
+            }
             if (size > pfb.length)
             {
                 // PDFBOX-6044: avoid potential OOM

Modified: 
pdfbox/branches/3.0/fontbox/src/test/java/org/apache/fontbox/pfb/PfbParserTest.java
==============================================================================
--- 
pdfbox/branches/3.0/fontbox/src/test/java/org/apache/fontbox/pfb/PfbParserTest.java
 Fri Jan 30 20:03:07 2026        (r1931621)
+++ 
pdfbox/branches/3.0/fontbox/src/test/java/org/apache/fontbox/pfb/PfbParserTest.java
 Fri Jan 30 20:22:08 2026        (r1931622)
@@ -101,4 +101,25 @@ class PfbParserTest
     {
         Assertions.assertThrows(IOException.class, () -> 
Type1Font.createWithPFB(new byte[0]));
     }
+
+    /**
+     * Test that a PFB with a negative size field (integer overflow) throws 
IOException
+     * instead of NegativeArraySizeException. A crafted 18-byte PFB with size 
bytes
+     * 01 00 00 FF overflows the signed int to -16777215, bypassing the 
upper-bound check.
+     */
+    @Test
+    void testNegativeRecordSize()
+    {
+        // 18-byte crafted PFB: start marker 0x80, ASCII type 0x01,
+        // size field 0x01 0x00 0x00 0xFF = -16777215 as signed int
+        byte[] crashInput = {
+            (byte) 0x80, 0x01,                         // header
+            0x01, 0x00, 0x00, (byte) 0xFF,             // size: overflows to 
negative
+            (byte) 0xFF, (byte) 0xFF, (byte) 0xFF,     // garbage data
+            (byte) 0xFF, (byte) 0xFF, (byte) 0xFF,
+            0x27, 0x05, (byte) 0xF8, (byte) 0xFF,
+            (byte) 0xD2, 0x40
+        };
+        Assertions.assertThrows(IOException.class, () -> new 
PfbParser(crashInput));
+    }
 }

Reply via email to