svn commit: r1931623 - in pdfbox/branches/2.0/fontbox/src: main/java/org/apache/fontbox/pfb test/java/org/apache/fontbox/pfb

Fri, 30 Jan 2026 12:22:30 -0800 

Author: tilman
Date: Fri Jan 30 20:22:18 2026
New Revision: 1931623

Log:
PDFBOX-5660: avoid NegativeArraySizeException, as suggested by Ze Sheng; closes 
#412

Modified:
   
pdfbox/branches/2.0/fontbox/src/main/java/org/apache/fontbox/pfb/PfbParser.java
   
pdfbox/branches/2.0/fontbox/src/test/java/org/apache/fontbox/pfb/PfbParserTest.java

Modified: 
pdfbox/branches/2.0/fontbox/src/main/java/org/apache/fontbox/pfb/PfbParser.java
==============================================================================
--- 
pdfbox/branches/2.0/fontbox/src/main/java/org/apache/fontbox/pfb/PfbParser.java 
    Fri Jan 30 20:22:08 2026        (r1931622)
+++ 
pdfbox/branches/2.0/fontbox/src/main/java/org/apache/fontbox/pfb/PfbParser.java 
    Fri Jan 30 20:22:18 2026        (r1931623)
@@ -175,6 +175,10 @@ public class PfbParser
             {
                 LOG.debug("record type: " + recordType + ", segment size: " + 
size);
             }
+            if (size < 0)
+            {
+                throw new IOException("record size " + size + " is negative");
+            }
             if (size > pfb.length)
             {
                 // PDFBOX-6044: avoid potential OOM

Modified: 
pdfbox/branches/2.0/fontbox/src/test/java/org/apache/fontbox/pfb/PfbParserTest.java
==============================================================================
--- 
pdfbox/branches/2.0/fontbox/src/test/java/org/apache/fontbox/pfb/PfbParserTest.java
 Fri Jan 30 20:22:08 2026        (r1931622)
+++ 
pdfbox/branches/2.0/fontbox/src/test/java/org/apache/fontbox/pfb/PfbParserTest.java
 Fri Jan 30 20:22:18 2026        (r1931623)
@@ -97,4 +97,33 @@ public class PfbParserTest
     {
         Type1Font.createWithPFB(new byte[0]);
     }
-}
\ No newline at end of file
+
+    /**
+     * Test that a PFB with a negative size field (integer overflow) throws 
IOException
+     * instead of NegativeArraySizeException. A crafted 18-byte PFB with size 
bytes
+     * 01 00 00 FF overflows the signed int to -16777215, bypassing the 
upper-bound check.
+     */
+    @Test
+    public void testNegativeRecordSize()
+    {
+        try
+        {
+            // 18-byte crafted PFB: start marker 0x80, ASCII type 0x01,
+            // size field 0x01 0x00 0x00 0xFF = -16777215 as signed int
+            byte[] crashInput = {
+                (byte) 0x80, 0x01,                         // header
+                0x01, 0x00, 0x00, (byte) 0xFF,             // size: overflows 
to negative
+                (byte) 0xFF, (byte) 0xFF, (byte) 0xFF,     // garbage data
+                (byte) 0xFF, (byte) 0xFF, (byte) 0xFF,
+                0x27, 0x05, (byte) 0xF8, (byte) 0xFF,
+                (byte) 0xD2, 0x40
+            };
+            new PfbParser(crashInput);
+        }
+        catch (IOException ex)
+        {
+            return;
+        }
+        Assert.fail ("expected IOException");
+    }
+}

Reply via email to