PDFBOX-6171: rewrite getDecodeArray() so that enlarged arrays are truncated but keep all the checks

THausherr · THausherr · commit fa7cb5983b4c · 2026-03-01T06:28:52.000Z
git-svn-id: https://svn.apache.org/repos/asf/pdfbox/trunk@1932085 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/graphics/image/SampledImageReader.java b/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/graphics/image/SampledImageReader.java
@@ -33,6 +33,7 @@
 import org.apache.logging.log4j.Logger;
 import org.apache.logging.log4j.LogManager;
 import org.apache.pdfbox.cos.COSArray;
+import org.apache.pdfbox.cos.COSBase;
 import org.apache.pdfbox.cos.COSNumber;
 import org.apache.pdfbox.filter.DecodeOptions;
 import org.apache.pdfbox.pdmodel.graphics.color.PDColorSpace;
@@ -741,45 +742,40 @@ private static BufferedImage applyColorKeyMask(BufferedImage image, BufferedImag
     private static float[] getDecodeArray(PDImage pdImage) throws IOException
     {
         final COSArray cosDecode = pdImage.getDecode();
-        float[] decode = null;
 
         if (cosDecode != null)
         {
             int numberOfComponents = pdImage.getColorSpace().getNumberOfComponents();
-            if (cosDecode.size() != numberOfComponents * 2)
+            if (cosDecode.size() >= numberOfComponents * 2)
             {
-                if (pdImage.isStencil() && cosDecode.size() >= 2
-                        && cosDecode.get(0) instanceof COSNumber
-                        && cosDecode.get(1) instanceof COSNumber)
+                boolean error = false;
+                float[] decode = new float[numberOfComponents * 2];
+                for (int i = 0; i < decode.length; ++i)
                 {
-                    float decode0 = ((COSNumber) cosDecode.get(0)).floatValue();
-                    float decode1 = ((COSNumber) cosDecode.get(1)).floatValue();
-                    if (decode0 >= 0 && decode0 <= 1 && decode1 >= 0 && decode1 <= 1)
+                    COSBase base = cosDecode.get(i);
+                    if (base instanceof COSNumber)
                     {
-                        LOG.warn(
-                                "decode array {} not compatible with color space, using the first two entries",
-                                cosDecode);
-                        return new float[]
-                        {
-                            decode0, decode1
-                        };
+                        decode[i] = ((COSNumber) base).floatValue();
+                    }
+                    else
+                    {
+                        error = true;
+                        break;
                     }
                 }
-                LOG.error("decode array {} not compatible with color space, using default",
-                        cosDecode);
-            }
-            else
-            {
-                decode = cosDecode.toFloatArray();
+                if (pdImage.isStencil() && (decode[0] < 0 || decode[0] > 1 || decode[1] < 0 || decode[1] > 1))
+                {
+                    error = true;
+                }
+                if (!error)
+                {
+                    return decode;
+                }
             }
         }
 
         // use color space default
-        if (decode == null)
-        {
-            return pdImage.getColorSpace().getDefaultDecode(pdImage.getBitsPerComponent());
-        }
-
-        return decode;
+        LOG.error("decode array {} not compatible with color space, using default", cosDecode);
+        return pdImage.getColorSpace().getDefaultDecode(pdImage.getBitsPerComponent());
     }
 }
