Skip to content

PDFBOX-6189 : Safely validate dimension to avoid OOM #437

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
subbudvk wants to merge 4 commits into from
Closed

PDFBOX-6189 : Safely validate dimension to avoid OOM #437

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
193cfde
Validate dimensions to avoid OOM Exception
subbudvk Apr 8, 2026
75db7a0
Fix : Validate dimensions in user pdf.
subbudvk Apr 8, 2026
fddec87
Fix user controlled dimensions to avoid OOM
subbudvk Apr 8, 2026
909a8b6
Update CCITTFaxFilter.java
subbudvk Apr 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 36 additions & 2 deletions pdfbox/src/main/java/org/apache/pdfbox/filter/CCITTFaxFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,8 +59,42 @@ public DecodeResult decode(InputStream encoded, OutputStream decoded,
// decompress data
int k = decodeParms.getInt(COSName.K, 0);
boolean encodedByteAlign = decodeParms.getBoolean(COSName.ENCODED_BYTE_ALIGN, false);
int arraySize = (cols + 7) / 8 * rows;
// TODO possible options??
if (cols <= 0 || rows <= 0)
{
throw new IOException("Invalid CCITT image dimensions: cols=" + cols + ", rows=" + rows);
}

long arraySizeLong = ((long) cols + 7) / 8 * rows;

long maxBytes = 256 * 1024 * 1024L;
String sysProp = System.getProperty(Filter.SYSPROP_CCITTFAX_MAXBYTES);

if (sysProp != null)
{
try
{
long parsed = Long.parseLong(sysProp);
if (parsed > 0)
{
maxBytes = parsed;
}
// else ignore zero/negative values
}
catch (NumberFormatException e)
{
// ignore invalid value, keep default
}
}

if (arraySizeLong > maxBytes)
{
throw new IOException(
"CCITT decode buffer too large (" + arraySizeLong + " bytes) for cols=" + cols +
", rows=" + rows + "; max allowed=" + maxBytes +
"; increase " + Filter.SYSPROP_CCITTFAX_MAXBYTES + " to override"
);
}
int arraySize = (int) arraySizeLong;
byte[] decompressed = new byte[arraySize];
CCITTFaxDecoderStream s;
int type;
Expand Down
10 changes: 10 additions & 0 deletions pdfbox/src/main/java/org/apache/pdfbox/filter/Filter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,16 @@ public abstract class Filter
*/
public static final String SYSPROP_DEFLATELEVEL = "org.apache.pdfbox.filter.deflatelevel";

/**
* CCITTFax decode buffer size cap System Property. Sets the maximum number of bytes that
* CCITTFaxFilter is allowed to pre-allocate for a single image decode buffer. PDF-controlled
* /Columns and /Rows values are validated against this limit before allocation to prevent
* denial-of-service via crafted image dimensions. The default is 256 MB. To raise the cap for
* high-resolution legitimate documents, use
* {@code System.setProperty(Filter.SYSPROP_CCITTFAX_MAXBYTES, String.valueOf(512 * 1024 * 1024L));}
*/
public static final String SYSPROP_CCITTFAX_MAXBYTES = "org.apache.pdfbox.filter.ccittmaxbytes";

/**
* Constructor.
*/
Expand Down