Enforce ByteRange validation

dss-pades/src/main/java/eu/europa/esig/dss/pdf/pdfbox/PdfBoxSignatureService.java

@@ -329,6 +329,10 @@ private List<PdfSignatureOrDocTimestampInfo> getSignatures(CertificatePool valid
 
 				for (PDSignature signature : pdSignatures) {
 					String subFilter = signature.getSubFilter();
+
+					int[] byteRange = signature.getByteRange();
+
+					validateByteRange(byteRange);
 
 					COSDictionary dict = signature.getCOSObject();
 					COSString item = (COSString) dict.getDictionaryObject(COSName.CONTENTS);
@@ -346,7 +350,6 @@ private List<PdfSignatureOrDocTimestampInfo> getSignatures(CertificatePool valid
 					}
 
 					byte[] signedContent = signature.getSignedContent(originalBytes);
-					int[] byteRange = signature.getByteRange();
 
 					PdfDict signatureDictionary = new PdfBoxDict(signature.getCOSObject(), doc);
 					PdfSignatureOrDocTimestampInfo signatureInfo = null;
@@ -389,6 +392,31 @@ private List<PdfSignatureOrDocTimestampInfo> getSignatures(CertificatePool valid
 		return signatures;
 	}
 
+	private void validateByteRange(int[] byteRange) {
+
+		if (byteRange == null || byteRange.length != 4) {
+			throw new DSSException("Incorrect BytRange size");
+		}
+
+		final int a = byteRange[0];
+		final int b = byteRange[1];
+		final int c = byteRange[2];
+		final int d = byteRange[3];
+
+		if (a != 0) {
+			throw new DSSException("The BytRange must cover start of file");
+		}
+		if (b <= 0) {
+			throw new DSSException("The first hash part doesn't cover anything");
+		}
+		if (c <= b) {
+			throw new DSSException("The second hash part must start after the first hash part");
+		}
+		if (d <= 0) {
+			throw new DSSException("The second hash part doesn't cover anything");
+		}
+	}
+
 	/**
 	 * This method links previous signatures to the new one. This is useful to get revision number and to know if a TSP
 	 * is over the DSS dictionary