• 0 Posts
  • 2 Comments
Joined 6 months ago
cake
Cake day: May 30th, 2024

help-circle
  • Don’t quote me on this, but I don’t think PDFs can usually contain java. It also wouldn’t execute if you don’t have a java runtime.

    Either way, java serialization data is not executable, it is just that: data. It doesn’t contain code. You need the matching code already running in order to de-serialize the data.

    If your file matches the linked SO post, you don’t have serialized java data embedded in the pdf, but the pdf embedded in a serialized java array. Which, also according to the SO post, is not a valid pdf.

    <speculation>
    I would assume that the library that generated this file (in the SO case Apache FOP) has a bug where it accidentally serializes the memory array (that holds the generated pdf) to the disk, instead of writing it to the disk. Why do pdf readers open it anyway? Either they incorrectly scan the file for %PDF- instead of verifying these are the first bytes, or the apache library (and possibly other libraries with similar bugs) are or were common enough that accepting this became reasonable.
    </speculation>