Details
-
Bug
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
1.8.16, 2.0.16
-
None
-
openjdk version "1.8.0_212"
OpenJDK Runtime Environment (AdoptOpenJDK)(build 1.8.0_212-b03)
OpenJDK 64-Bit Server VM (AdoptOpenJDK)(build 25.212-b03, mixed mode)
MacOS Mojave
Description
TTFParser.parse can lead to various unchecked exceptions when parsing malformed inputs.
Steps to repro
- Create & compile Main.java:
import org.apache.fontbox.ttf.TTFParser; class Main { public static void main(String[] args) throws Throwable { (new TTFParser()).parse(System.in); } }
- Download the inputs (fontbox-exceptions.zip) and extract them.
- For each input, run cat <input> | java -cp 'jars/*' Main to reproduce the exceptions, where `jars` is a folder containing the pdfbox jars.
Stacktraces
$ cat NullPtrException.HorizontalMetricsTable.read | java -cp 'jars/*' Main Exception in thread "main" java.lang.NullPointerException at org.apache.fontbox.ttf.HorizontalMetricsTable.read(HorizontalMetricsTable.java:53) at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353) at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173) at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150) at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106) at Main.main(Main.java:5)
$ cat ArrayIndexOutOfBoundsException.PostScriptTable.read | java -cp 'jars/*' Main Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 258 at org.apache.fontbox.ttf.PostScriptTable.read(PostScriptTable.java:137) at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353) at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173) at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150) at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106) at Main.main(Main.java:5)
$ cat ArrayIndexOutOfBoundsException.NamingTable.read | java -cp 'jars/*' Main Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: -1674355620 at org.apache.fontbox.ttf.MemoryTTFDataStream.read(MemoryTTFDataStream.java:102) at org.apache.fontbox.ttf.MemoryTTFDataStream.readUnsignedShort(MemoryTTFDataStream.java:116) at org.apache.fontbox.ttf.NamingTable.read(NamingTable.java:63) at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353) at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173) at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150) at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106) at Main.main(Main.java:5)
$ cat ArrayIndexOutOfBoundsException.CmapSubtable.initSubtable | java -cp 'jars/*' Main Aug 05, 2019 4:13:54 PM org.apache.fontbox.ttf.CmapSubtable processSubtype13 WARNING: Format 13 cmap contains an invalid glyph index Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: -916972 at org.apache.fontbox.ttf.MemoryTTFDataStream.read(MemoryTTFDataStream.java:102) at org.apache.fontbox.ttf.MemoryTTFDataStream.readUnsignedShort(MemoryTTFDataStream.java:116) at org.apache.fontbox.ttf.CmapSubtable.initSubtable(CmapSubtable.java:74) at org.apache.fontbox.ttf.CmapTable.read(CmapTable.java:86) at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353) at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173) at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150) at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106) at Main.main(Main.java:5)
$ cat ArrayIndexOutOfBoundsException.HorizontalHeaderTable.read | java -cp 'jars/*' Main Aug 05, 2019 4:13:54 PM org.apache.fontbox.ttf.CmapSubtable processSubtype12 WARNING: Format 12 cmap contains an invalid glyph index Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: -524 at org.apache.fontbox.ttf.MemoryTTFDataStream.read(MemoryTTFDataStream.java:102) at org.apache.fontbox.ttf.MemoryTTFDataStream.readSignedShort(MemoryTTFDataStream.java:134) at org.apache.fontbox.ttf.TTFDataStream.read32Fixed(TTFDataStream.java:50) at org.apache.fontbox.ttf.HorizontalHeaderTable.read(HorizontalHeaderTable.java:65) at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353) at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173) at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150) at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106) at Main.main(Main.java:5)
$ cat NullPtrException.IndexToLocationTable.read | java -cp 'jars/*' Main Exception in thread "main" java.lang.NullPointerException at org.apache.fontbox.ttf.IndexToLocationTable.read(IndexToLocationTable.java:57) at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353) at org.apache.fontbox.ttf.TrueTypeFont.getTable(TrueTypeFont.java:142) at org.apache.fontbox.ttf.TrueTypeFont.getIndexToLocation(TrueTypeFont.java:232) at org.apache.fontbox.ttf.GlyphTable.read(GlyphTable.java:67) at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353) at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173) at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150) at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106) at Main.main(Main.java:5)
$ cat ArrayIndexOutOfBoundsException.CmapTable.read | java -cp 'jars/*' Main Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: -2147483116 at org.apache.fontbox.ttf.MemoryTTFDataStream.read(MemoryTTFDataStream.java:102) at org.apache.fontbox.ttf.MemoryTTFDataStream.readUnsignedShort(MemoryTTFDataStream.java:116) at org.apache.fontbox.ttf.CmapTable.read(CmapTable.java:75) at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353) at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173) at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150) at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106) at Main.main(Main.java:5)
$ cat NullPtrException.VerticalMetricsTable.read | java -cp 'jars/*' Main ... Exception in thread "main" java.lang.NullPointerException at org.apache.fontbox.ttf.VerticalMetricsTable.read(VerticalMetricsTable.java:60) at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353) at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173) at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150) at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106) at Main.main(Main.java:5)
$ cat NullPtrException.CmapSubtable.processSubtype13 | java -cp 'jars/*' Main Exception in thread "main" java.lang.NullPointerException at org.apache.fontbox.ttf.CmapSubtable.processSubtype13(CmapSubtable.java:319) at org.apache.fontbox.ttf.CmapSubtable.initSubtable(CmapSubtable.java:114) at org.apache.fontbox.ttf.CmapTable.read(CmapTable.java:86) at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353) at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173) at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150) at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106) at Main.main(Main.java:5)
$ cat ArrayIndexOutOfBoundsException.MaximumProfileTable.read | java -cp 'jars/*' Main Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: -1788932292 at org.apache.fontbox.ttf.MemoryTTFDataStream.read(MemoryTTFDataStream.java:102) at org.apache.fontbox.ttf.MemoryTTFDataStream.readSignedShort(MemoryTTFDataStream.java:134) at org.apache.fontbox.ttf.TTFDataStream.read32Fixed(TTFDataStream.java:50) at org.apache.fontbox.ttf.MaximumProfileTable.read(MaximumProfileTable.java:274) at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353) at org.apache.fontbox.ttf.TrueTypeFont.getTable(TrueTypeFont.java:142) at org.apache.fontbox.ttf.TrueTypeFont.getMaximumProfile(TrueTypeFont.java:188) at org.apache.fontbox.ttf.TrueTypeFont.getNumberOfGlyphs(TrueTypeFont.java:369) at org.apache.fontbox.ttf.IndexToLocationTable.read(IndexToLocationTable.java:53) at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353) at org.apache.fontbox.ttf.TrueTypeFont.getTable(TrueTypeFont.java:142) at org.apache.fontbox.ttf.TrueTypeFont.getIndexToLocation(TrueTypeFont.java:232) at org.apache.fontbox.ttf.GlyphTable.read(GlyphTable.java:67) at org.apache.fontbox.ttf.TrueTypeFont.readTable(TrueTypeFont.java:353) at org.apache.fontbox.ttf.TTFParser.parseTables(TTFParser.java:173) at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:150) at org.apache.fontbox.ttf.TTFParser.parse(TTFParser.java:106) at Main.main(Main.java:5)
The files were generated by fuzzing and are (probably) not valid TTF files.