PDFBOX-6066: early return when unplausible data

THausherr · THausherr · commit 31d5411aff3f · 2025-09-11T14:02:13.000Z
git-svn-id: https://svn.apache.org/repos/asf/pdfbox/trunk@1928344 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/fontbox/src/main/java/org/apache/fontbox/ttf/GlyphSubstitutionTable.java b/fontbox/src/main/java/org/apache/fontbox/ttf/GlyphSubstitutionTable.java
@@ -161,6 +161,13 @@ private Map<String, ScriptTable> readScriptList(TTFDataStream data, long offset)
         {
             scriptTags[i] = data.readString(4);
             scriptOffsets[i] = data.readUnsignedShort();
+            if (scriptOffsets[i] < data.getCurrentPosition() - offset)
+            {
+                // can't be before the current position
+                LOG.error("scriptOffsets[{}]: {} implausible: data.getCurrentPosition() - offset = {}", 
+                        i, scriptOffsets[i], data.getCurrentPosition() - offset);
+                return Collections.unmodifiableMap(resultScriptList);
+            }
         }
         for (int i = 0; i < scriptCount; i++)
         {
@@ -180,15 +187,22 @@ private ScriptTable readScriptTable(TTFDataStream data, long offset) throws IOEx
         for (int i = 0; i < langSysCount; i++)
         {
             langSysTags[i] = data.readString(4);
-            if (i > 0 && langSysTags[i].compareTo(langSysTags[i-1]) <= 0)
+            langSysOffsets[i] = data.readUnsignedShort();
+            if (langSysOffsets[i] < data.getCurrentPosition() - offset)
+            {
+                // can't be before the current position
+                LOG.error("langSysOffsets[{}]: {} implausible: data.getCurrentPosition() - offset = {}", 
+                        i, langSysOffsets[i], data.getCurrentPosition() - offset);
+                return new ScriptTable(null, new LinkedHashMap<>());
+            }
+            if (i > 0 && langSysTags[i].compareTo(langSysTags[i-1]) < 0)
             {
                 // PDFBOX-4489: catch corrupt file
                 // https://docs.microsoft.com/en-us/typography/opentype/spec/chapter2#slTbl_sRec
-                LOG.error("LangSysRecords not alphabetically sorted by LangSys tag: {} <= {}",
+                LOG.error("LangSysRecords not alphabetically sorted by LangSys tag: {} < {}",
                         langSysTags[i], langSysTags[i - 1]);
                 return new ScriptTable(null, new LinkedHashMap<>());
             }
-            langSysOffsets[i] = data.readUnsignedShort();
         }
 
         LangSysTable defaultLangSysTable = null;
@@ -350,10 +364,12 @@ private LookupTable readLookupTable(TTFDataStream data, long offset) throws IOEx
             {
                 LOG.error("subTableOffsets[{}] is 0 at offset {}", i,
                         data.getCurrentPosition() - 2);
+                return new LookupTable(lookupType, lookupFlag, 0, new LookupSubTable[0]);
             }
-            else if (offset + subTableOffsets[i] > data.getOriginalDataSize())
+            if (offset + subTableOffsets[i] > data.getOriginalDataSize())
             {
                 LOG.error("{} > {}", offset + subTableOffsets[i], data.getOriginalDataSize());
+                return new LookupTable(lookupType, lookupFlag, 0, new LookupSubTable[0]);
             }
         }
 

Original file line number	Diff line number	Diff line change
`@@ -161,6 +161,13 @@ private Map<String, ScriptTable> readScriptList(TTFDataStream data, long offset)`
`161`	`161`	`{`
`162`	`162`	`scriptTags[i] = data.readString(4);`
`163`	`163`	`scriptOffsets[i] = data.readUnsignedShort();`
	`164`	`+ if (scriptOffsets[i] < data.getCurrentPosition() - offset)`
	`165`	`+ {`
	`166`	`+ // can't be before the current position`
	`167`	`+ LOG.error("scriptOffsets[{}]: {} implausible: data.getCurrentPosition() - offset = {}",`
	`168`	`+ i, scriptOffsets[i], data.getCurrentPosition() - offset);`
	`169`	`+ return Collections.unmodifiableMap(resultScriptList);`
	`170`	`+ }`
`164`	`171`	`}`
`165`	`172`	`for (int i = 0; i < scriptCount; i++)`
`166`	`173`	`{`
`@@ -180,15 +187,22 @@ private ScriptTable readScriptTable(TTFDataStream data, long offset) throws IOEx`
`180`	`187`	`for (int i = 0; i < langSysCount; i++)`
`181`	`188`	`{`
`182`	`189`	`langSysTags[i] = data.readString(4);`
`183`		`- if (i > 0 && langSysTags[i].compareTo(langSysTags[i-1]) <= 0)`
	`190`	`+ langSysOffsets[i] = data.readUnsignedShort();`
	`191`	`+ if (langSysOffsets[i] < data.getCurrentPosition() - offset)`
	`192`	`+ {`
	`193`	`+ // can't be before the current position`
	`194`	`+ LOG.error("langSysOffsets[{}]: {} implausible: data.getCurrentPosition() - offset = {}",`
	`195`	`+ i, langSysOffsets[i], data.getCurrentPosition() - offset);`
	`196`	`+ return new ScriptTable(null, new LinkedHashMap<>());`
	`197`	`+ }`
	`198`	`+ if (i > 0 && langSysTags[i].compareTo(langSysTags[i-1]) < 0)`
`184`	`199`	`{`
`185`	`200`	`// PDFBOX-4489: catch corrupt file`
`186`	`201`	`// https://docs.microsoft.com/en-us/typography/opentype/spec/chapter2#slTbl_sRec`
`187`		`- LOG.error("LangSysRecords not alphabetically sorted by LangSys tag: {} <= {}",`
	`202`	`+ LOG.error("LangSysRecords not alphabetically sorted by LangSys tag: {} < {}",`
`188`	`203`	`langSysTags[i], langSysTags[i - 1]);`
`189`	`204`	`return new ScriptTable(null, new LinkedHashMap<>());`
`190`	`205`	`}`
`191`		`- langSysOffsets[i] = data.readUnsignedShort();`
`192`	`206`	`}`
`193`	`207`
`194`	`208`	`LangSysTable defaultLangSysTable = null;`
`@@ -350,10 +364,12 @@ private LookupTable readLookupTable(TTFDataStream data, long offset) throws IOEx`
`350`	`364`	`{`
`351`	`365`	`LOG.error("subTableOffsets[{}] is 0 at offset {}", i,`
`352`	`366`	`data.getCurrentPosition() - 2);`
	`367`	`+ return new LookupTable(lookupType, lookupFlag, 0, new LookupSubTable[0]);`
`353`	`368`	`}`
`354`		`- else if (offset + subTableOffsets[i] > data.getOriginalDataSize())`
	`369`	`+ if (offset + subTableOffsets[i] > data.getOriginalDataSize())`
`355`	`370`	`{`
`356`	`371`	`LOG.error("{} > {}", offset + subTableOffsets[i], data.getOriginalDataSize());`
	`372`	`+ return new LookupTable(lookupType, lookupFlag, 0, new LookupSubTable[0]);`
`357`	`373`	`}`
`358`	`374`	`}`
`359`	`375`