[jira] [Created] (PDFBOX-4999) Dangerous COSDictionary.addAll(COSDictionary) method

Fri, 23 Oct 2020 08:31:48 -0700 

Michael Klink created PDFBOX-4999:
-------------------------------------

             Summary: Dangerous COSDictionary.addAll(COSDictionary) method
                 Key: PDFBOX-4999
                 URL: https://issues.apache.org/jira/browse/PDFBOX-4999
             Project: PDFBox
          Issue Type: Bug
    Affects Versions: 2.0.21, 3.0.0 PDFBox
            Reporter: Michael Klink


The method {{COSDictionary.addAll(COSDictionary)}} creates the impression, by 
name and by JavaDoc comment,
{code:java}
/**
 * This will add all of the dictionaries keys/values to this dictionary.
...
{code}
that it can be used for exactly that, adding all key/value pairs from the 
argument dictionary to the current one, replacing old entries for the same keys.
 If one looks at the implementation, though, one is in for a surprise:
{code:java}
/**
 * This will add all of the dictionaries keys/values to this dictionary.
 * Only called when adding keys to a trailer that already exists.
 *
 * @param dic The dictionaries to get the keys from.
 */
public void addAll(COSDictionary dic)
{
    dic.forEach((key, value) ->
    {
        /*
         * If we're at a second trailer, we have a linearized pdf file, meaning 
that the first Size entry represents
         * all of the objects so we don't need to grab the second.
         */
        if (!COSName.SIZE.equals(key) || !items.containsKey(COSName.SIZE))
        {
            setItem(key, value);
        }
    });
}
{code}
Here existing *Size* entries explicitly are not replaced!

This appears to be a relic from times when PDFBox parsed PDF documents front to 
back, ignoring cross reference streams, for improved results with linearized 
files.

Nowadays this exception does not make any sense anymore, see [this stack 
overflow answer|https://stackoverflow.com/a/64502740/1729265]. Furthermore, 
this method is used in other contexts than creating trailer unions, even some 
PDFBox methods use it to create arbitrary dictionary unions.

Thus, this exception should be removed after all usages of that method in 
PDFBox have been analyzed.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to