This is not something we agree with at this point, since it is unclear what kind of exploit we can get.
We do confirm that the provided code samples trigger
java.lang.ArrayIndexOutOfBoundsException in our Java library and
System.IndexOutOfRangeException in C#. But the fact that our code throws an exception is not by itself a vulnerability, and no case supporting that this behavior may be exploited has been presented to us.
These weaknesses entries describe the following possible exploits in C and C++ programming languages:
Denial of Service: Crash, Exit, or Restart;
Execute Unauthorized Code or Commands;
Bypass Protection Mechanism.
However iText is a Java and a C# library. Java and C# programming languages safeguard against listed exploits in case of out-of-bounds access by providing memory abstractions. Nothing related to unauthorized code/memory manipulation vulnerabilities is applicable here.
Both weakness records even point to using a language like Java or C# as a `Potential Mitigations` technique:
For example, ... languages such as Java and Ruby will allow the programmer to handle exceptions when an out-of-bounds index is accessed.
Use a language that provides appropriate memory abstractions.
Additionally, throwing an exception on out-of-bounds array access does not lead to undefined behavior in those languages. The
ArrayIndexOutOfBoundsException is a
java.lang.RuntimeException, which can be captured and handled appropriately (this distinguishes it from
java.lang.Error subclasses). The fact that the user of the library may not know that this exception can be thrown does not by itself mean that we have a vulnerability in the library, and that cannot be associated with a Denial of Service vulnerability in our opinion.