OpenPDF icon indicating copy to clipboard operation
OpenPDF copied to clipboard
verified publisher icon LibrePDF

List of bugs found in openPDF predecessor

Open Lonzak opened this issue 2 years ago • 1 comments

There is a report of bugs found by some univercity students . Some might apply to OpenPDF as well. At least it is worth checking out. Another possibility would be to request another scan by these gyus...

Original Bug Report

The bug report folder can be downloaded from https://drive.google.com/drive/folders/1b38Mi8fKp05vzMbth1oiopFYNH92GWrK?usp=sharing

Total 56 bugs are reported in this pull request. A full list is provided below. Folder structure

Level 1 (folder): exception type
Level 2 (folder): error location
Level 3 (files): POC file and report.txt including reproducing steps

report.txt content:

Exception type
Error location
Bug cause and impact
Crash thread's stacks
Steps to reproduce

Bug full list

java.lang.ArrayIndexOutOfBoundsException
-- com.itextpdf.kernel.crypto.ARCFOUREncryption.encryptARCFOUR--ARCFOUREncryption.java-93
-- com.itextpdf.kernel.crypto.securityhandler.StandardHandlerUsingStandard128.computeOwnerKey--StandardHandlerUsingStandard128.java-81
-- com.itextpdf.kernel.pdf.PdfXrefTable.clear--PdfXrefTable.java-448
-- com.itextpdf.kernel.pdf.PdfXrefTable.get--PdfXrefTable.java-153
-- com.itextpdf.kernel.pdf.PdfXrefTable.initFreeReferencesList--PdfXrefTable.java-185
java.lang.ClassCastException
-- com.itextpdf.kernel.crypto.securityhandler.StandardHandlerUsingStandard40.initKeyAndReadDictionary--StandardHandlerUsingStandard40.java-193
-- com.itextpdf.kernel.pdf.PdfDocument.open--PdfDocument.java-1958
-- com.itextpdf.kernel.pdf.PdfEncryption.readAndSetCryptoModeForStdHandler--PdfEncryption.java-531
-- com.itextpdf.kernel.pdf.PdfEncryption.readAndSetCryptoModeForStdHandler--PdfEncryption.java-534
-- com.itextpdf.kernel.pdf.PdfReader.readObject--PdfReader.java-1344
java.lang.NegativeArraySizeException
-- com.itextpdf.kernel.pdf.PdfXrefTable.extendXref--PdfXrefTable.java-598
java.lang.NullPointerException
-- com.itextpdf.kernel.crypto.securityhandler.StandardHandlerUsingStandard40.initKeyAndReadDictionary--StandardHandlerUsingStandard40.java-194
-- com.itextpdf.kernel.crypto.securityhandler.StandardSecurityHandler.getIsoBytes--StandardSecurityHandler.java-94
-- com.itextpdf.kernel.pdf.PdfArray.get--PdfArray.java-374
-- com.itextpdf.kernel.pdf.PdfObjectWrapper.markObjectAsIndirect--PdfObjectWrapper.java-141
-- com.itextpdf.kernel.pdf.PdfReader.getOriginalFileId--PdfReader.java-669
-- com.itextpdf.kernel.pdf.PdfReader.readDecryptObj--PdfReader.java-1287
-- com.itextpdf.kernel.pdf.PdfReader.readObject--PdfReader.java-1344
-- com.itextpdf.kernel.pdf.PdfReader.readObjectStream--PdfReader.java-738
-- com.itextpdf.kernel.pdf.PdfReader.readObjectStream--PdfReader.java-739
-- com.itextpdf.kernel.pdf.PdfReader.readObjectStream--PdfReader.java-740
-- com.itextpdf.kernel.pdf.PdfReader.readObjectStream--PdfReader.java-773
-- com.itextpdf.kernel.pdf.PdfReader.readObjectStream--PdfReader.java-792
java.lang.NumberFormatException
-- com.itextpdf.io.source.PdfTokenizer.getIntValue--PdfTokenizer.java-512
-- com.itextpdf.io.source.PdfTokenizer.nextValidToken--PdfTokenizer.java-314
-- com.itextpdf.io.source.PdfTokenizer.nextValidToken--PdfTokenizer.java-315
java.lang.OutOfMemoryError
-- com.itextpdf.kernel.pdf.PdfReader.readStreamBytesRaw--PdfReader.java-391
-- com.itextpdf.kernel.pdf.PdfXrefTable.extendXref--PdfXrefTable.java-598
java.lang.StackOverflowError
-- com.itextpdf.io.source.ByteBuffer.append--ByteBuffer.java-110
-- com.itextpdf.io.source.PdfTokenizer.getStringValue--PdfTokenizer.java-187
-- com.itextpdf.io.source.PdfTokenizer.nextToken--PdfTokenizer.java-341
-- com.itextpdf.io.source.PdfTokenizer.nextToken--PdfTokenizer.java-343
-- com.itextpdf.io.source.PdfTokenizer.nextToken--PdfTokenizer.java-361
-- com.itextpdf.io.source.PdfTokenizer.nextToken--PdfTokenizer.java-377
-- com.itextpdf.io.source.PdfTokenizer.nextToken--PdfTokenizer.java-413
-- com.itextpdf.io.source.PdfTokenizer.nextToken--PdfTokenizer.java-452
-- com.itextpdf.io.source.PdfTokenizer.nextToken--PdfTokenizer.java-469
-- com.itextpdf.io.source.PdfTokenizer.nextValidToken--PdfTokenizer.java-271
-- com.itextpdf.io.source.PdfTokenizer.nextValidToken--PdfTokenizer.java-300
-- com.itextpdf.io.source.PdfTokenizer.nextValidToken--PdfTokenizer.java-306
-- com.itextpdf.io.source.PdfTokenizer.nextValidToken--PdfTokenizer.java-314
-- com.itextpdf.io.source.RandomAccessFileOrArray.read--RandomAccessFileOrArray.java-138
-- com.itextpdf.io.util.MessageFormatUtil.format--MessageFormatUtil.java-55
-- com.itextpdf.kernel.pdf.PdfDictionary.putAll--PdfDictionary.java-333
-- com.itextpdf.kernel.pdf.PdfName.compareTo--PdfName.java-1003
-- com.itextpdf.kernel.pdf.PdfNumber.generateValue--PdfNumber.java-180
-- com.itextpdf.kernel.pdf.PdfReader.readArray--PdfReader.java-944
-- com.itextpdf.kernel.pdf.PdfReader.readDictionary--PdfReader.java-923
-- com.itextpdf.kernel.pdf.PdfReader.readObject--PdfReader.java-1336
-- com.itextpdf.kernel.pdf.PdfReader.readObject--PdfReader.java-1344
-- com.itextpdf.kernel.pdf.PdfReader.readObject--PdfReader.java-801
-- com.itextpdf.kernel.pdf.PdfReader.readObject--PdfReader.java-845
-- com.itextpdf.kernel.pdf.PdfReader.readPdfName--PdfReader.java-912
-- com.itextpdf.kernel.pdf.PdfReader.readReference--PdfReader.java-817
-- com.itextpdf.kernel.pdf.PdfReader.readReference--PdfReader.java-834
java.lang.StringIndexOutOfBoundsException
-- com.itextpdf.io.source.PdfTokenizer.checkPdfHeader--PdfTokenizer.java-239

Lonzak avatar Jan 31 '23 23:01 Lonzak

@asturio @Lonzak @daviddurand Do we have these bugs in OpenPDF? If they are present, have all of them been fixed? If so, in which version were they resolved?

kandadishiva avatar Sep 24 '24 13:09 kandadishiva

I don't know if these bugs are present in OpenPDF. There are a lot of static analisys tools which can find lot of problems in OpenPDF (because the code had many contributors with different coding-styles a awareness of code quality). Actually there is no problem: If someone find such a bug, the person can also file a PR which fix this one or others. It's difficult enough to keep the quality of such a project at a good level, or even better rise the code quality. But there is no point in fixing bad code afterwards.

If there is a PR fixing some code, people will be merging them.

Closing this because it is too vague, and there is not really a way to tell if the bugs were there or not.

asturio avatar Aug 18 '25 13:08 asturio

Yeah I remember the scan was a student project and in the beginning we couldn't even reach the student who reported the issues. After some weeks he reported back and we finally got some details. This is basically this ticket. Then additionally the scan was done on iText 7.1.17 and not on openPDF directly. Parts of the codes are still equal or differ only a little, however it is not clear which issue applies and which not. I just checked the google drive and the description of the issues seem pretty solid. @kandadishiva What you can do to help is to go through all the places and see whether it is a real openPDF issue. Then add a pull request + fix would be nice :-)

Lonzak avatar Aug 18 '25 15:08 Lonzak