svn commit: r1931624 - in pdfbox/trunk/fontbox/src: main/java/org/apache/fontbox/pfb test/java/org/apache/fontbox/pfb

Fri, 30 Jan 2026 12:22:39 -0800 

Author: tilman
Date: Fri Jan 30 20:22:28 2026
New Revision: 1931624

Log:
PDFBOX-5660: avoid NegativeArraySizeException, as suggested by Ze Sheng; closes 
#412

Modified:
   pdfbox/trunk/fontbox/src/main/java/org/apache/fontbox/pfb/PfbParser.java
   pdfbox/trunk/fontbox/src/test/java/org/apache/fontbox/pfb/PfbParserTest.java

Modified: 
pdfbox/trunk/fontbox/src/main/java/org/apache/fontbox/pfb/PfbParser.java
==============================================================================
--- pdfbox/trunk/fontbox/src/main/java/org/apache/fontbox/pfb/PfbParser.java    
Fri Jan 30 20:22:18 2026        (r1931623)
+++ pdfbox/trunk/fontbox/src/main/java/org/apache/fontbox/pfb/PfbParser.java    
Fri Jan 30 20:22:28 2026        (r1931624)
@@ -154,6 +154,10 @@ public class PfbParser
             size += in.read() << 16;
             size += in.read() << 24;
             LOG.debug("record type: {}, segment size: {}", recordType, size);
+            if (size < 0)
+            {
+                throw new IOException("record size " + size + " is negative");
+            }
             if (size > pfb.length)
             {
                 // PDFBOX-6044: avoid potential OOM

Modified: 
pdfbox/trunk/fontbox/src/test/java/org/apache/fontbox/pfb/PfbParserTest.java
==============================================================================
--- 
pdfbox/trunk/fontbox/src/test/java/org/apache/fontbox/pfb/PfbParserTest.java    
    Fri Jan 30 20:22:18 2026        (r1931623)
+++ 
pdfbox/trunk/fontbox/src/test/java/org/apache/fontbox/pfb/PfbParserTest.java    
    Fri Jan 30 20:22:28 2026        (r1931624)
@@ -101,4 +101,25 @@ class PfbParserTest
     {
         Assertions.assertThrows(IOException.class, () -> 
Type1Font.createWithPFB(new byte[0]));
     }
+
+    /**
+     * Test that a PFB with a negative size field (integer overflow) throws 
IOException
+     * instead of NegativeArraySizeException. A crafted 18-byte PFB with size 
bytes
+     * 01 00 00 FF overflows the signed int to -16777215, bypassing the 
upper-bound check.
+     */
+    @Test
+    void testNegativeRecordSize()
+    {
+        // 18-byte crafted PFB: start marker 0x80, ASCII type 0x01,
+        // size field 0x01 0x00 0x00 0xFF = -16777215 as signed int
+        byte[] crashInput = {
+            (byte) 0x80, 0x01,                         // header
+            0x01, 0x00, 0x00, (byte) 0xFF,             // size: overflows to 
negative
+            (byte) 0xFF, (byte) 0xFF, (byte) 0xFF,     // garbage data
+            (byte) 0xFF, (byte) 0xFF, (byte) 0xFF,
+            0x27, 0x05, (byte) 0xF8, (byte) 0xFF,
+            (byte) 0xD2, 0x40
+        };
+        Assertions.assertThrows(IOException.class, () -> new 
PfbParser(crashInput));
+    }
 }

Reply via email to