[jira] [Updated] (PDFBOX-4251) Optimize AFMParser

Thu, 28 Jun 2018 23:13:17 -0700 


     [ 
https://issues.apache.org/jira/browse/PDFBOX-4251?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Andreas Lehmkühler updated PDFBOX-4251:
---------------------------------------
    Description: 
>From our private mailinlist:

{quote}
Tobias Ospelt has been working with fuzzing to identify oom/infinite loops.  
Tobias' attached file triggers a really long running loop which eventually 
leads to an OOM.  It looks like this loop is the problem in AFMParser's 
readLine():
{quote}
 
{code}
while(!this.isEOL(nextByte = this.input.read())) {
      buf.append((char)nextByte);
}
{code}

CVE-2018-8036

Description: A carefully crafted (or fuzzed) file can trigger an infinite loop 
which leads to an out of memory exception in Apache PDFBox's AFMParser.

Affected versions:
 <= 1.8.14
 <= 2.0.10 

Mitigation: update to a more recent version

> Optimize AFMParser
> ------------------
>
>                 Key: PDFBOX-4251
>                 URL: https://issues.apache.org/jira/browse/PDFBOX-4251
>             Project: PDFBox
>          Issue Type: Improvement
>          Components: FontBox
>    Affects Versions: 1.8.14, 2.0.10, 3.0.0 PDFBox
>            Reporter: Andreas Lehmkühler
>            Assignee: Andreas Lehmkühler
>            Priority: Major
>             Fix For: 1.8.15, 2.0.11, 3.0.0 PDFBox
>
>
> From our private mailinlist:
> {quote}
> Tobias Ospelt has been working with fuzzing to identify oom/infinite loops.  
> Tobias' attached file triggers a really long running loop which eventually 
> leads to an OOM.  It looks like this loop is the problem in AFMParser's 
> readLine():
> {quote}
>  
> {code}
> while(!this.isEOL(nextByte = this.input.read())) {
>       buf.append((char)nextByte);
> }
> {code}
> CVE-2018-8036
> Description: A carefully crafted (or fuzzed) file can trigger an infinite 
> loop which leads to an out of memory exception in Apache PDFBox's AFMParser.
> Affected versions:
>  <= 1.8.14
>  <= 2.0.10 
> Mitigation: update to a more recent version



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to