[jira] [Commented] (FOP-2389) PDFEncryption: error when Password length>32

Tue, 08 Jul 2014 07:23:28 -0700 

    [ 
https://issues.apache.org/jira/browse/FOP-2389?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14054981#comment-14054981
 ] 

Andreas F. commented on FOP-2389:
---------------------------------

(This could be a BufferOverwrite in other envrionments than the JVM)

Build-Id: 20121016-224756-ICT (glenn [Mac OS X 10.8.1 x86_64, Java 
1.6.0_35-b10-428-11M3811, Target Java 1.5])

Steps to reproduce:
final String randomPassword = UUID.randomUUID().toString();
        foUserAgent.getRendererOptions().put("encryption-params",
                new PDFEncryptionParams(null, randomPassword, true, false, 
false, true));
    }

Actual results:
15:53:43,494 ERROR [org.apache.fop.pdf.PDFEncryptionManager] 
(http--127.0.0.1-8080-3) java.lang.reflect.InvocationTargetException
15:53:43,498 WARN  [org.apache.fop.pdf] (http--127.0.0.1-8080-3) PDF encryption 
is unavailable. PDF will be generated without encryption.

Expected results:
- should either work with >32 chars passwords, or
- be documented (or is it?) and fail with specific excetion which is not 
silently lost due to catching and logging InvocationTargetException

workaround:
- Don't use passwords with length>32

> PDFEncryption: error when Password length>32
> --------------------------------------------
>
>                 Key: FOP-2389
>                 URL: https://issues.apache.org/jira/browse/FOP-2389
>             Project: Fop
>          Issue Type: Bug
>    Affects Versions: 1.1
>            Reporter: Andreas F.
>            Priority: Minor
>
> in method
> org.apache.fop.pdf.PDFEncryptionJCE.InitializationEngine#preparePassword 
> (lines 281ff.?)
> the arraycopy expects supplied password's length to be <=32
> it copies supplied pw to a destination with 32 bytes length but uses supplied 
> pw's byte length as bytecount to System.arraycopy.
> So this fails with an ArrayIndexOutOfBoundsException
> which is later wrapped in an InvocationTargetException (which is only logged 
> by PDFEncryptionManager, so the original cause is even not visible in the 
> logs):
>         private byte[] preparePassword(String password) {
>             int finalLength = 32;
>             byte[] preparedPassword = new byte[finalLength];
>             byte[] passwordBytes = password.getBytes();
>             System.arraycopy(passwordBytes, 0, preparedPassword, 0, 
> passwordBytes.length);
>             System.arraycopy(padding, 0, preparedPassword, 
> passwordBytes.length,
>                     finalLength - passwordBytes.length);
>             return preparedPassword;
>         }
> Is this required by the PDF spec?? Then IMHO it should at least be documented?
> possible fix?:
> System.arraycopy(passwordBytes, 0, preparedPassword, 0, 
> Math.min(passwordBytes.length, finalLength))



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to