[jira] [Created] (PDFBOX-6045) Potential Console Corruption

Tue, 22 Jul 2025 08:57:04 -0700 

David Justamante created PDFBOX-6045:
----------------------------------------

             Summary: Potential Console Corruption
                 Key: PDFBOX-6045
                 URL: https://issues.apache.org/jira/browse/PDFBOX-6045
             Project: PDFBox
          Issue Type: Bug
    Affects Versions: 4.0.0
            Reporter: David Justamante


This issue is being *manually* filed by the competition organizers. We 
recognize there is a number of AI generated submissions as of late. We have 
gone through the manual process of bug/patch validation to prevent unnecessary 
"noise", respecting maintainers' time. 

This submission is being sent as part of DARPA's AIxCC competition. 
(https://aicyberchallenge.com) This issue was discovered and validated by 
competition engineers during challenge development. The patch was manually 
constructed by the competition engineers.

We found via fuzzing that our console would occasionally get corrupted. This is 
caused from not filtering user-generated data during logging (and our choice to 
log to the console).

In the first screenshot, you can see the point when the corruption happens. In 
the second, you can see the overall outcome.

!https://uploads.linear.app/d7cdd4d4-7aba-4d9d-aa0b-c26b540340f9/1bdf3cc5-031b-465e-bcdd-8bb574ddd4c3/afdd8be8-d6b5-4a5d-bb42-86644b5a387a|width=720,height=77!!https://uploads.linear.app/d7cdd4d4-7aba-4d9d-aa0b-c26b540340f9/48b4d8c4-7072-49dd-af1c-b9f8d9ff6755/f4a75aaa-bcb1-4ad2-ab0b-1586863731c1|width=2009,height=664!

We think the fix is to prevent {{\u001b}} from being written to logs. There may 
be other solutions.

The above shows corruption via the font or maybe encoding, but it would be 
possible to do other things that could be problematic for users logging to the 
console — like turning the text invisible or other things.

Some relevant links:
 * [https://gist.github.com/fnky/458719343aabd01cfb17a3a4f7296797]

 * [https://www.youtube.com/watch?v=3T2Al3jdY38]

 

(AIxCC Internal: CHA-1733)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to