[ https://issues.apache.org/jira/browse/FOP-2389?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14054981#comment-14054981 ]
Andreas F. commented on FOP-2389: --------------------------------- (This could be a BufferOverwrite in other envrionments than the JVM) Build-Id: 20121016-224756-ICT (glenn [Mac OS X 10.8.1 x86_64, Java 1.6.0_35-b10-428-11M3811, Target Java 1.5]) Steps to reproduce: final String randomPassword = UUID.randomUUID().toString(); foUserAgent.getRendererOptions().put("encryption-params", new PDFEncryptionParams(null, randomPassword, true, false, false, true)); } Actual results: 15:53:43,494 ERROR [org.apache.fop.pdf.PDFEncryptionManager] (http--127.0.0.1-8080-3) java.lang.reflect.InvocationTargetException 15:53:43,498 WARN [org.apache.fop.pdf] (http--127.0.0.1-8080-3) PDF encryption is unavailable. PDF will be generated without encryption. Expected results: - should either work with >32 chars passwords, or - be documented (or is it?) and fail with specific excetion which is not silently lost due to catching and logging InvocationTargetException workaround: - Don't use passwords with length>32 > PDFEncryption: error when Password length>32 > -------------------------------------------- > > Key: FOP-2389 > URL: https://issues.apache.org/jira/browse/FOP-2389 > Project: Fop > Issue Type: Bug > Affects Versions: 1.1 > Reporter: Andreas F. > Priority: Minor > > in method > org.apache.fop.pdf.PDFEncryptionJCE.InitializationEngine#preparePassword > (lines 281ff.?) > the arraycopy expects supplied password's length to be <=32 > it copies supplied pw to a destination with 32 bytes length but uses supplied > pw's byte length as bytecount to System.arraycopy. > So this fails with an ArrayIndexOutOfBoundsException > which is later wrapped in an InvocationTargetException (which is only logged > by PDFEncryptionManager, so the original cause is even not visible in the > logs): > private byte[] preparePassword(String password) { > int finalLength = 32; > byte[] preparedPassword = new byte[finalLength]; > byte[] passwordBytes = password.getBytes(); > System.arraycopy(passwordBytes, 0, preparedPassword, 0, > passwordBytes.length); > System.arraycopy(padding, 0, preparedPassword, > passwordBytes.length, > finalLength - passwordBytes.length); > return preparedPassword; > } > Is this required by the PDF spec?? Then IMHO it should at least be documented? > possible fix?: > System.arraycopy(passwordBytes, 0, preparedPassword, 0, > Math.min(passwordBytes.length, finalLength)) -- This message was sent by Atlassian JIRA (v6.2#6252)