[jira] [Updated] (PDFBOX-6045) Potential Console Corruption

Tue, 22 Jul 2025 10:56:06 -0700 


     [ 
https://issues.apache.org/jira/browse/PDFBOX-6045?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

David Justamante updated PDFBOX-6045:
-------------------------------------
    Attachment: image1.png
                image2.png

> Potential Console Corruption
> ----------------------------
>
>                 Key: PDFBOX-6045
>                 URL: https://issues.apache.org/jira/browse/PDFBOX-6045
>             Project: PDFBox
>          Issue Type: Bug
>    Affects Versions: 4.0.0
>            Reporter: David Justamante
>            Priority: Minor
>         Attachments: image1.png, image2.png
>
>
> This issue is being *manually* filed by the competition organizers. We 
> recognize there is a number of AI generated submissions as of late. We have 
> gone through the manual process of bug/patch validation to prevent 
> unnecessary "noise", respecting maintainers' time. 
> This submission is being sent as part of DARPA's AIxCC competition. 
> (https://aicyberchallenge.com) This issue was discovered and validated by 
> competition engineers during challenge development. The patch was manually 
> constructed by the competition engineers.
> We found via fuzzing that our console would occasionally get corrupted. This 
> is caused from not filtering user-generated data during logging (and our 
> choice to log to the console).
> In the first screenshot, you can see the point when the corruption happens. 
> In the second, you can see the overall outcome.
> !https://uploads.linear.app/d7cdd4d4-7aba-4d9d-aa0b-c26b540340f9/1bdf3cc5-031b-465e-bcdd-8bb574ddd4c3/afdd8be8-d6b5-4a5d-bb42-86644b5a387a|width=720,height=77!!https://uploads.linear.app/d7cdd4d4-7aba-4d9d-aa0b-c26b540340f9/48b4d8c4-7072-49dd-af1c-b9f8d9ff6755/f4a75aaa-bcb1-4ad2-ab0b-1586863731c1|width=2009,height=664!
> We think the fix is to prevent {{\u001b}} from being written to logs. There 
> may be other solutions.
> The above shows corruption via the font or maybe encoding, but it would be 
> possible to do other things that could be problematic for users logging to 
> the console — like turning the text invisible or other things.
> Some relevant links:
>  * [https://gist.github.com/fnky/458719343aabd01cfb17a3a4f7296797]
>  * [https://www.youtube.com/watch?v=3T2Al3jdY38]
>  
> (AIxCC Internal: CHA-1733)



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@pdfbox.apache.org
For additional commands, e-mail: dev-h...@pdfbox.apache.org

Reply via email to