[HN Gopher] Show HN: Tetris in a PDF
___________________________________________________________________
Show HN: Tetris in a PDF
I realized that the PDF engines of modern desktop browsers (PDFium
and PDF.js) support JavaScript with enough I/O primitives to make a
basic game like Tetris. It was a bit tricky to find a union of
features that work in both engines, but in the end it turns out
that showing/hiding annotation "fields" works well to make
monochrome pixels, and keyboard input can be achieved by typing in
a text input box. All in all it's quite janky but a nice reminder
of how general purpose PDF scripting can be. The linked PDF is all
ASCII so you can just open it in a text editor, or have a look at
the source code here:
https://github.com/ThomasRinsma/pdftris/blob/main/gengrid.py
Author : ThomasRinsma
Score : 1206 points
Date : 2025-01-09 13:31 UTC (2 days ago)
(HTM) web link (th0mas.nl)
(TXT) w3m dump (th0mas.nl)
| maalber wrote:
| This is hilarious
| revskill wrote:
| Genius you mean ?
| runnr_az wrote:
| Obviously a talented individual. Nice to see them wasting
| time making something ridiculous
| freedomben wrote:
| I don't know how serious you are, but for others projects
| like this are virtually never a waste of time. There's
| opportunity cost of course, but that's very difficult to
| measure. I'm sure OP learned a ton about PDFs in the
| process, and there is/are no shortage of needs for PDF
| creation. More broadly they also deepened their knowledge
| of javascript and other things.
| lucianbr wrote:
| Well, it's quite cool, but if PDF supports javascript,
| putting a javascript game in a PDF is something obviously
| possible. I don't know if it qualifies as genius. If the game
| was made from PostScript commands somehow, that would be
| genius.
|
| Anyway, I love this content on _Hacker_ news, as opposed to
| people explaining how they want Apple to take their freedom
| away, because freedom is dangerous.
| swiftcoder wrote:
| > as opposed to people explaining how they want Apple to
| take their freedom away, because freedom is dangerous
|
| May I be the first to reply that I am glad that this works
| in neither Safari nor Preview.app :)
| nickcageinacage wrote:
| So cool
| josefritzishere wrote:
| Brilliant!
| frizlab wrote:
| Fortunately this does not work in Safari where the rendering is
| done natively.
| anothername12 wrote:
| Does not even seem to be a valid PDF according to Preview.app
| swiftcoder wrote:
| Preview implements a subset of the full capabilities of PDF,
| and in particular it does not implement the javascript
| interpreter.
| p0w3n3d wrote:
| I like how you used "fortunately". For me too the most
| important in PDF is to print a good and accurate text and
| graphics (preferably vector graphics), which recently is not as
| easy as it would be possible
| bityard wrote:
| Not just web browsers, Acrobat (and probably other PDF readers)
| have supported executing Javascript in PDFs for decades.
| unnouinceput wrote:
| I was joking in 2007, when I was working at Siemens, to my
| boss, that an Excel cell can contain God and the Multiverse
| when I put an ActiveX inside that was basically a program I
| made which would draw a 3D animation based on parameters
| contained on other cells. Let's say the boss was impressed
| though for me was just basic OLE.
|
| I see from time to time that younger generations
| reinvent/rediscover the wheel and I chuckle.
| brumar wrote:
| This is even in the ISO standard now
| pimlottc wrote:
| Which makes sense, why would browsers randomly add JS to PDF if
| it wasn't already part of the standard?
| kzrdude wrote:
| What a nightmare that JS is a part of the PDF standard. I
| suppose that it's optional.
| Aaron2222 wrote:
| Doesn't work in Preview unfortunately.
| jeffhuys wrote:
| Fortunately*
| swyx wrote:
| why??? for what possible secure white hat reason could you want
| to run js in pdfs??!? is nobody sane running the pdf org?
| Fernicia wrote:
| Back in school pdfs would circulate that had a bunch of flash
| games on them. I have no idea how or who made them, but they let
| us play dolphin olympics on lab computers with no internet
| connection.
| doublerabbit wrote:
| Excel for games and PowerPoint for stick animations. You'd
| spend hours in CAD class just creating PowerPoint animations
| and not doing any CAD.
|
| I regret this decision now and wish that I had paid some
| attention. 3D printers are cool and I have no idea how to
| design objects for it.
| phkahler wrote:
| >> I do wish I did pay some attention to CAD now. I want a 3D
| printer and have no idea how to design objects for it.
|
| Get Solvespace: https://solvespace.com/index.pl
|
| Do the tutorials. If/when you outgrow it, the concepts will
| carry over to FreeCAD which otherwise has a steeper learning
| curve but has more capabilities.
| smj-edison wrote:
| An aside, but I found FreeCAD to be a real pain. The
| dependency tracking across sketches is really quite horrid.
| If I have sketch2 linked to sketch1, and I delete a line in
| sketch1, it will arbitrarily reassign all the
| sketch2->sketch1 dependencies. Maybe they fixed that since
| I've used it, but I've transferred over to Onshape for all
| my hobby stuff...
|
| EDIT: looks like they finally addressed the topological
| naming problem, I guess I better give it a second chance!
| pbhjpbhj wrote:
| I'm not sure, but I think it may have been that Adobe Viewer
| (or whatever it was) could run Flash?
| Someone wrote:
| Maybe, but PDF can contain Flash Applets, too.
|
| However, modern version of Acrobat Reader do not support that
| anymore. https://helpx.adobe.com/acrobat/kb/flash-format-
| support-in-p...:
|
| _"Flash Player end-of-life (EOL) impacts playback and
| authoring of rich media having Flash content (_.flv and
| _.swf) in PDFs:
|
| * Playback of Flash media (_.flv and _.swf) content in
| existing PDFs will not be supported."_
| amytimed wrote:
| This is awesome! I think you should add the explanation of how it
| works in the PDF itself as well
| seany wrote:
| This is great. Will probably give the fun police in r/k12sysadmin
| a heart attack.
| illegalmemory wrote:
| Not only web but majorly all OS pdf renderers support JS. It used
| to be a major source of malware long back.
| autoexec wrote:
| PDFs are still used to delver malware. Adobe gets picked on
| less often now since everyone has PDF readers in the browser
| but that just makes chrome the new target of choice (not that
| alternative viewers don't get attention too
| https://thehackernews.com/2024/05/foxit-pdf-reader-flaw-
| expl...) but what I see most often in malicious PDF files
| recently are just links to websites that contain malware since
| they can work no matter what your viewer is.
| ykonstant wrote:
| "used to be"
| MartinMond wrote:
| https://www.nutrient.io/blog/how-to-program-a-calculator-pdf...
| See here for how we did a calculator in a PDF
| ozaark wrote:
| Love the demo video and post but for some reason this doesn't
| seem to work for me. Running Chrome on Android 14
| belowm wrote:
| Don't be sad, Google is planning to bring native Tetris
| support to Android.
| meddah wrote:
| Oops. I realized now, unknown PDFs are not safe.
| alana314 wrote:
| Wow, I had no idea PDFs could be this dynamic. Doesn't work in
| Mac OS preview or quicklook but works great in chrome.
| danudey wrote:
| The Canadian passport application PDF has Javascript that
| updates a QR code in the top-right corner of the first page
| whenever you change or fill in a field.
|
| https://www.canada.ca/content/dam/ircc/migration/ircc/englis...
|
| Seems like a pretty genius way of avoiding transcription
| errors. When I dropped my passport application off yesterday
| the passport officer marked up a few things on the PDF and then
| scanned it in, so I assume that they use the QR code to
| automatically fill in the data as I entered it and then make
| any updates necessary from after-the-fact modifications
| manually.
|
| Only seemed to work correctly in Acrobat Reader, but I haven't
| tried others (like Foxit) or anything.
| audiodude wrote:
| Yes, elsewhere in this thread people were complaining about
| how Canadian government PDFs only work in Acrobat Reader on
| Windows and what a PITA that is.
| cool-RR wrote:
| I printed it but it doesn't work :(
| weinzierl wrote:
| _" It was a bit tricky to find a union of features that work in
| both engines [..]"_
|
| I am curious what the constraints are to make this work and in
| which environments it does? Does it work in PDF viewers outside
| the browser? Is there documentation what is available in which
| environment? What is enabled by default, can be switched on or
| off?
| ThomasRinsma wrote:
| I barely looked at Adobe Reader so not sure about that one, it
| definitely does not work with this PDF though, likely because
| it's not compliant in several ways. Besides that I wouldn't be
| surprised if it supports all the required JS APIs and more,
| just possibly behind some permission prompts.
|
| It might work in Foxit as I believe it supports some scripting.
| Most of the other native PDF renderers are more static, as far
| as I know. In either case, I was most interested in the
| browser-native engines, as I always thought of them as more
| "static"/limited.
|
| As for documentation on specific features: to be honest, I just
| looked at the implementations of PDF.js and PDFium. Both only
| support a subset of the "standard" API, likely for security
| reasons. But PDF.js for example allows changing a field's
| background color (colored pixels!), and PDFium allows modifying
| their position/bounding box (I tried a high res color display
| by moving a row vertically as if it's a scanline, but things
| become quite laggy).
| throwaway86530 wrote:
| I got the same conclusions. Unless I misunderstood, Pdfium is
| based on Foxit so that should work. And as both pdf.js and
| pdfium decided to implement only a thin part of the adobe js
| sdk, then there are good chances that it works there too.
| KeplerBoy wrote:
| I guess it should read intersection instead of union.
| ThomasRinsma wrote:
| Oops, yeah :)
| chaps wrote:
| They also support iframes! The absolute madness of PDFs is a
| world wonder. But I'm really still not sure we could do without
| them.
| bityard wrote:
| Gzipped PostScript documents were fairly popular during the
| 90's and are functionally identical to PDFs for 99% of use
| cases. (PDF is essentially PostScript, but with more features.)
| necovek wrote:
| Well, both a simpler language more geared toward
| presentation, but also including more modern features
| designed for on-screen viewing.
| kccqzy wrote:
| For Gzipped PostScript, code execution is its raison d'etre.
| But it is at least possible to build a PDF viewer without
| code execution.
| btown wrote:
| I, for one, was surprised that Chrome's PDF renderer would allow
| persistent JS code like this to run - not just limited code in
| response to user actions, but a real game loop.
|
| But there's a spec for all this and everything!
| https://www.t10.org/ftp/js_api_reference.pdf (2007) - be warned,
| the light of Ecma TC39 standardization does not extend to this
| place.
|
| Chromium's implementation of setInterval for instance (which, in
| this world, takes a string to evaluate):
| https://pdfium.googlesource.com/pdfium/+/refs/heads/main/fxj...
| ->
| https://pdfium.googlesource.com/pdfium/+/refs/heads/main/fxj...
|
| From a security perspective, they're able to build on top of V8
| isolate primitives and Chrome's sandboxing systems - but from the
| logs, security improvements in PDFium are being continuously
| developed as recently as the past few weeks! I feel like I've
| stumbled upon a parallel universe, in the best possible way.
| internetter wrote:
| Atari Breakout for PDF:
| https://cdn.jsdelivr.net/gh/osnr/horrifying-pdf-experiments@...
| a3w wrote:
| I see only a red half of the page, and then two pages of text.
| mati365 wrote:
| So it's possible to port C compiler to PDF. Compiler is already
| done https://github.com/Mati365/ts-c-compiler. We can run DOS in
| PDF basically..
| bowmessage wrote:
| Adobe Acrobat DOOM Pro(tm)
| mati365 wrote:
| What about running Adobe Acrobat in Adobe Acrobat?
| andrea76 wrote:
| Can we run Windows 3.1 in protected mode from a PDF?
| mati365 wrote:
| Imho, it's possible. Generally speaking, it depends if
| PDF can render any sort of canvas.
| danudey wrote:
| Can we compile qemu to a PDF?
| _joel wrote:
| It's PDFs all the way down.
| lxgr wrote:
| That's how it inevitably goes with Turing completeness :)
|
| The real achievement here arguably isn't running code (that's
| provided by the PDF spec and implementations), but managing to
| hook it up to user input/output in an ergonomic-enough way to
| play Tetris.
| segasaturn wrote:
| The mention of Turing Completeness got me curious, so I
| looked something up. Behold, a C compiler written in Lambda
| Calculus: https://github.com/woodrush/lambda-8cc
| lxgr wrote:
| Amazing, thank you!
|
| The PDF [1] containing the Lambda calculus term manages to
| hang/glitch/crash both Firefox's and macOS Preview's PDF
| renderer, which in itself is quite the achievement in
| portability.
|
| Update: Nevermind, Firefox handles it perfectly, it just
| (probably wisely) disables seamless scrolling and I have to
| use the "next/previous" page buttons manually. macOS got
| there after a minute or two of loading with no UI
| indications.
|
| [1] https://woodrush.github.io/lambda-8cc.pdf
| openrisk wrote:
| But will it also compile when printed out on paper?
| GaggiX wrote:
| Kinda happy that Evince doesn't start executing JS when opening a
| PDF.
| freedomben wrote:
| You glorious bastard, what a cool project! This is already a
| contender for most hacker project of the year :-)
|
| (below is not serious)
|
| I would advise people against using this in production though
| because it's still missing some critical features. For example:
|
| 1. The Javascript stops working when printed to physical paper.
| The resulting paper just has a static image and the controls no
| longer work.
|
| 2. It doesn't work properly in Evince. It just shows an error
| "The document contains only empty pages"
| zknowledge wrote:
| hahaha I wish you almost didn't include the parenthesis. I've
| had some clients who would definitely email me that point #1.
| ChrisMarshallNY wrote:
| No. They would fax it to you.
| nadis wrote:
| "The Javascript stops working when printed to physical paper.
| The resulting paper just has a static image and the controls no
| longer work."
|
| -- this comment made my me laugh/choke on my coffee and I have
| no regrets.
| ikari_pl wrote:
| You must have never browsed IT support tickets. Oh the
| horrors...
| nadis wrote:
| Internally laughing and crying at the same time. "Oh the
| horrors..." is exactly right.
| VagabundoP wrote:
| "Its broke"
|
| What's broke? How is it broke. Why send a one liner?!?
|
| So many questions.
| ddoice wrote:
| Can't wait for physical paper with JS support
| pk-protect-ai wrote:
| There is probably an E-Paper capable of JS support, however
| it would be difficult to use for printing due to it's
| thickness ...
|
| https://en.wikipedia.org/wiki/Electronic_paper
| FpUser wrote:
| >"1. The Javascript stops working when printed to physical
| paper. The resulting paper just has a static image and the
| controls no longer work."
|
| Just wait until e-paper replaces the real one ;)
| woodrowbarlow wrote:
| i recently discovered that the Canadian government depends on
| this for some fillable forms, because it shows a message at the
| top that says "JavaScript is disabled" and all the boxes show
| errors. i couldn't get it to work on Linux and had to dust off
| a Windows machine (and it still didn't work in firefox, it
| needed acrobat reader).
| AlexanderTheGr8 wrote:
| I have faced this exact problem with Canadian govt forms.
| Evince doesn't support them. They are so specific about only
| adobe acrobat to fill out the forms. I can open them in
| firefox but can't update them properly The only option is to
| use my barely hanging on 10-yr old windows machine.
|
| Let's hope that eventually they move on to a simpler web
| form.
| ikari_pl wrote:
| Wait, did Acrobat actually end support for Linux? Od you
| just didn't want that particular machine to catch...
| capitalism?
| necovek wrote:
| There is no recent version of Acrobat Reader for Linux,
| and old (was it 5.x beta?) versions rarely work on modern
| distros.
| ars wrote:
| Acrobat 9.5 works fine on Linux, if a little slow.
|
| This Tetris game makes it crash though.
| necovek wrote:
| Oh, thanks, that's good to hear!
|
| Edit: only now I see that's also from 2009 with updates
| into 2013. Do you where one can easily download the
| latest patched version?
| pavon wrote:
| Okular supports javascript in PDFs and works with many
| fillable forms.
| martinflack wrote:
| > 1. The Javascript stops working when printed to physical
| paper.
|
| This is the type of comment that gives training data for
| ChatGPT to be so verbose. Ha!
| inetknght wrote:
| > _The Javascript stops working when printed to physical paper.
| The resulting paper just has a static image and the controls no
| longer work._
|
| Science fiction tells us this is only temporary. Print away,
| those papers will turn into magic in just a few decades!
| LeonenTheDK wrote:
| Just wait until we get this on e-paper.
| debo_ wrote:
| I feel stupid for not getting the joke. It would have been nice
| if you explained it in the ... postscript.
|
| (Yes this is a joke)
| dmd wrote:
| Just don't try to do this in any less powerful display
| languages, or you'll really be in a PCL.
| necovek wrote:
| > The Javascript stops working when printed to physical paper.
| The resulting paper just has a static image and the controls no
| longer work.
|
| I believe you need to rescan it into PDF to get it to work
| again.
| ycombinatrix wrote:
| It might be possible to set up some kind of pdf quine using
| e.g. a QR code
| lisper wrote:
| > The Javascript stops working when printed to physical paper.
|
| It works for me. Maybe you need to upgrade your paper? What
| version are you using?
| dheera wrote:
| > Javascript
|
| Oh, so that's what it is. Bleh. Ok.
|
| I thought it was cooler and made use of the fact that
| PostScript is a Turing-complete language to write Tetris in
| PostScript.
|
| (I never really understood the PDF format but I always assumed
| it's some kind of compressed PostScript)
| atoav wrote:
| 3. I open it on my phone and it doesn't work at all. And that
| is a new phone with a current browser.
| martin_a wrote:
| Regarding #1: Your printer is just too slow. Try finding a
| printing company near you with a web feed machine, that should
| help with your FPS.
| maurya_anand wrote:
| "The Javascript stops working when printed to physical paper."
|
| You need to upgrade your paper that supports a minimum FR of
| 60hz.
| 4ggr0 wrote:
| come on, it's 2025, we need 240hz (to play Tetris with
| 30FPS).
| niqmk wrote:
| I actually printed it out and wanted to see if it worked or
| not.. LMAO
| miningape wrote:
| I just wish I could print this
| potatoman22 wrote:
| This is a good reminder for why to not download random PDFs. One
| of the mechanisms of the Pegasus spyware was emulating a computer
| inside a PDF.
|
| https://en.wikipedia.org/wiki/Pegasus_(spyware)#Vulnerabilit...
| geor9e wrote:
| A tetris PDF could be in a 1 pixel iframe right on this page
| and you'd never know it. So it doesn't require any user action
| to download one.
| sexy_seedbox wrote:
| That's why you run NoScript along side with UBO
| geor9e wrote:
| I'm pretty sure noscript will break 90% of the webpages I
| visit. I just rawdog the internet. If Chrome gets 0day'd
| then a lot of us are going down - at least I'll have
| company.
| throwaway2037 wrote:
| > If Chrome gets 0day'd then a lot of us are going down
|
| If anything, Google would have the correct incentive to
| protect _itself_ from a zero-day exploit. I guess they
| could release a patched version internally only, but I
| doubt it. I do think they want the image of Chrome to be
| relatively positive and giant security hole (patched
| slowed) would do them no favours.
| grgergo wrote:
| This PDF still runs with JS disabled in both of those, and
| in Firefox about:config...
| poincaredisk wrote:
| The vulnerability was in images parsing, and exploit was
| distributed by sending an imessage to the target. So don't open
| any images, and don't read imessages. They are also known to
| use browser exploits, so don't visit random websites.
|
| That was sarcasm, in case it's not clear over the internet.
| Telling people to avoid "suspicious" pdfs/websites is common
| but ultimately not very useful advice.
|
| The real takeaway is: don't become a target of a nation state
| intelligence agency. If you own a phone, they can take over it,
| and there's nothing you can do.
| cess11 wrote:
| The Pegasus Project has shown that pretty much anyone could
| be targeted. It's enough to know someone in a publicly owned
| company or publicly say something negative about corruption
| or just be in the wrong place at the wrong time.
|
| Nothing you do will guarantee that the state won't come after
| you.
| sgerenser wrote:
| If you're really worried about this and you use an iPhone,
| then you should be using Lockdown Mode:
| https://support.apple.com/en-us/105120
| izakfr wrote:
| This is really awesome, great job!
| riffraff wrote:
| could you use checkboxes for display? I'm no sure if you can
| style them, but I think you can access them in JS, and that
| should result in having basic "pixels" which you can use to draw
| anything.
| pbhjpbhj wrote:
| That sounds like something CodeBullet mighty have done!?
| brumar wrote:
| I made a game of life in pdf using this technique, but pdf.js
| is less open to chromium to respect the standard on letting the
| pdf designer defining the ON and OFF state.
|
| One other way would be to use normal text fields and leveraging
| custom fonts. I think there are an enormous potential with
| fonts in the realm of pdf hacking. I think there is also a
| story of past vuln on pdf.js because fonts were evaluated
| outside the sandbox.
| jiveturkey wrote:
| didn't work in safari's embedded reader. no text either, just a
| blank page. or did i not wait long enough?
| saagarjha wrote:
| Doesn't support JavaScript.
| brumar wrote:
| I was considering doing exactly that ahah. We should connect to
| share our hacks and pains. One could project would be to run
| wasm4 games because, yes, pdfium and pdf.js can run webassembly.
| purpleidea wrote:
| Neat! Sadly doesn't work in Evince.
| _joel wrote:
| So does that mean we can transpile PDFs to webassembly now?
| UniverseHacker wrote:
| This is horrifying, PDFs should not be able to execute code.
| cess11 wrote:
| One should reject all PDF:s except /a-standards compliant ones.
| belval wrote:
| Maybe if one enjoys endless conversations with unhappy
| customers. Easier to simply isolate the PDF rendering/parsing
| and move on.
| silon42 wrote:
| A conversion tool would be useful.
| martin_a wrote:
| Let me tell you about the lord and savior of the printing
| industry, the PDF/X standard...
| cess11 wrote:
| It allows external sources. I think even the ICC profile
| can sit outside the document, as well as stuff like video.
|
| I like the archivable series, the document comes with what
| is needed to render it.
| nejsjsjsbsb wrote:
| HTMLs too :)
| crazygringo wrote:
| Seriously, I hate it.
|
| I understand why it happened -- it made sense to allow PDF's to
| be used for form-filling, and once you can fill in forms it
| obviously makes sense to validate inputs, and to handle
| arbitrary validation complexity you need a scripting language,
| and obviously then you want to be able to automatically fill in
| fields based on other fields, or even produce a QR code so it
| can be printed and scanned... And they didn't want to create a
| new extension like ".ipdf" for interactive PDF.
|
| But still. I hate it.
| fsckboy wrote:
| > _PDFs should not be able to execute code_
|
| Postscript is code (it's a stack machine), and PDFs are
| Postscript
| martin_a wrote:
| > PDFs are Postscript
|
| PDFs have moved to native generation, due to the feature
| richness that has found its way into the specs.
|
| Nevertheless you can still write PS and feed it into a
| Distiller (or sth. alike) and render the output.
| tbraydn wrote:
| A surprising number of things used to accept executable code.
|
| In Microsoft Windows (~2000/ME), you used to be able embed
| JavaScript and ActiveX into ANY folder by replacing the folder
| view with your own HTML. Your customization would persist on
| shared network folders so others would see your HTML.
|
| So naturally, a bunch of us 14 year olds in like 2002, between
| playing Runescape and Neopets in computer lab and library time,
| found this out and started screwing with the shared network Z:
| drive used by both teachers and students across every
| elementary, middle and high school in the school district.
|
| There were dumb things you could do with all that power like
| open people's CD-ROM reader trays by abusing the Windows Media
| ActiveX control. It had an eject() method on the object.
|
| It ended up breaking in an edit war of the shared drive. There
| were some generic AD accounts used district-wide so you could
| avoid getting caught. We found out you could prefix the
| username with the domain and login with accounts from other
| schools. At one point, someone crossed the line, but I don't
| think anyone got caught.
| ta1243 wrote:
| You put the <img src="file://c:/con/con"> in right? Or had
| that been fixed by the DHTML era
| slig wrote:
| I used to place that as the home page of IE.
| thih9 wrote:
| Would this work on a simple (non-android) eink reader, like a
| kindle?
| random_i wrote:
| Playable where?
|
| It doesn't work in the Adobe Chrome PDF viewer, or in Preview.
| grimgrin wrote:
| playable for me in firefox and chrome
| cryptozeus wrote:
| works for me in chrome
| icameron wrote:
| Sadly, Adobe Acrobat Viewer cannot load it, but if go to Chrome
| and choose Open.. That should use chrome PDF to display it in
| the browser (depending on your settings maybe) which worked for
| me.
| TMWNN wrote:
| Works in Edge's PDF viewer, after exiting the initial mode via
| the <- in the upper left corner. (If you know how to avoid this
| being the default, let me know.)
| kvirani wrote:
| Wow... It's only January. I'm so excited to see what you release
| in February and beyond!
| pmarreck wrote:
| this is a horrible idea.
|
| which is why i am commenting to check it out later.
|
| since postscript is also a language that it literally runs to
| render, would it also be possible to use postscript to make
| interactive elements?
| lihaciudaniel wrote:
| Doesn't work in pdf.js
| efitz wrote:
| This is amazing and terrifying (I am a security engineer and
| parsing complex document formats is a never-ending treasure trove
| of vulnerabilities).
| tashian wrote:
| AI agents run in isolated VMs, but PDFs have been out here
| running in the open for 30 years!
| miohtama wrote:
| But can your PDF run an AI agent?
| freedomben wrote:
| Looking forward to a day when you may not have a powerful
| enough GPU to open a PDF
| hnlmorg wrote:
| In my opinion the question isn't so much "if" but rather
| "when".
|
| When will AI research and hardware capabilities reach a
| point that it's practical to embed something like that into
| a regular document?
|
| We've already seen proof of concept LLMs embedded into
| OpenType fonts.
|
| I guess the other question is then "what capabilities would
| these AI agents have?" You'd hope just permission to
| present within that document. But that depends entirely on
| what unpatched vulnerabilities are lurking (such as the
| Microsoft ANSI RCE also featured on the HN front page)
| btown wrote:
| For Chrome's PDF renderer, the runtime is V8, so we're
| literally one (hilarious) line of code away from this
| glorious future existing today:
|
| https://pdfium.googlesource.com/pdfium/+/refs/heads/main/
| fpd...
|
| > // Use interpreted JS only to avoid RWX pages in our
| address space. Also, --jitless implies --no-expose-wasm,
| which reduce exposure since no PDF should contain web
| assembly.
|
| > return "--jitless";
| Thorrez wrote:
| You could write an LLM in plain JS, right?
| btown wrote:
| Yep, but one without the ability to even JIT down to
| vectorized CPU commands (to say nothing of GPU
| connectivity) would be incredibly slow indeed!
| siva7 wrote:
| The first widespread AI Malware will be a historic moment
| in this century. It will adapt like a real biological virus
| to its host and we have no cure for this.
| saagarjha wrote:
| We could unplug all the GPUs.
| Swizec wrote:
| > But can your PDF run an AI agent?
|
| Oh it's so much worse than that. Your _font_ can run an AI
| agent.
|
| Llama.ttf: A font which is also an LLM --
| https://news.ycombinator.com/item?id=40766791
| bawolff wrote:
| Well a font using a custom experimental shaping library.
| Your font can't do it normally.
| belowm wrote:
| Crazy. Looking forward shipping apps as .ttf instead of
| docker images.
| erk__ wrote:
| You can also play Tetris in a font:
| https://www.youtube.com/watch?v=Ms1Drb9Vw9M&t=1370s
|
| (disclaimer: own work)
| neuroelectron wrote:
| This isn't even the beginning of what's possible in PDFs.
| wayvey wrote:
| The amount of attack surface in various format parsers is
| pretty stunning and terrifying indeed
| mizzao wrote:
| The "code execution" in PDF parsing is what enabled this
| legendary zero-click, zero-day exploit of iOS devices:
| https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-i...
| kccqzy wrote:
| That exploit is indeed legendary but the code execution
| involved is not JavaScript. In fact the iOS PDF renderer does
| not have JavaScript enabled.
| saagarjha wrote:
| Obviously a skill issue; a true hacker would re-enable it.
| enews01 wrote:
| Theres a malaysian movie where the main premise is a hacker who
| uses pdf executions to steal one cent from every persons bank
| account. Its pretty interesting.
| brettermeier wrote:
| Do you know the name of the movie?
| wastholm wrote:
| Not OP, but I found a series, not a movie, titled _One Cent
| Thief_ that fits the description. Sounds interesting.
|
| https://archive.org/details/OneCentThiefSeries
| abdibrokhim wrote:
| Warning: Error during font loading: Font "HeBo" is not available.
| luismedel wrote:
| Awesome.
|
| I don't do security stuff anymore but I feel chills when I see
| (great) things like this,
| bwjx wrote:
| This is awesome.
|
| Took a bit of prompting but was able to get a semi-working (only
| in Chrome) Flappy Bird out of Claude in ~10 minutes. Seems like
| the collision detection needs some work :)
|
| https://github.com/baileywjohnson/flapdfy-bird/blob/main/fla...
| Uptrenda wrote:
| Actually works, a bit buggy but its a good POC.
| ilvez wrote:
| I'm probably lucky that Sumatra is showing them as static
| documents.
| Thoreandan wrote:
| Related: Ange Albertini, the creator of the .PDF/.ZIP/ELF
| reference diagrams (github/corkami) has started posting overview
| videos on his YT channel (@corkami-albertini) including creating
| .PDF+.PNG+.ZIP chimera files.
|
| The .PDF basics vid was the first in the series:
| https://www.youtube.com/watch?v=q6KgFezu8tw
| billiam wrote:
| and this is why I can't read HN at work anymore........
|
| I have increasing confidence that when AIs finally destroy the
| Internet the delivery vehicle will be the file format that was
| created, as the Internet itself was, as a form of digital paper.
| eximius wrote:
| Interesting!
|
| Something neat I found, you're able to 'clip' the blocks into
| each other by spinning them right before the block settles.
| alphabet9000 wrote:
| amazing, i didn't know PDF supported javascript.
|
| i've tried making "interactive" PDFs before but using POST and
| server side rendering rather than client, e.g. a PDF typewriter i
| made a little while back on http://news.coffee
| krick wrote:
| Ok, I kinda knew it was possible (I guess, anybody did), but this
| should be a very illustrative example. And unfortunately it
| doesn't seem like PDFs are gonna go away (though, really, why the
| hell there isn't any alternative?!) So it raises the question: is
| there _any_ way to handle this garbage safely? I.e. in a way it
| couldn 't run JS? I'm pretty sure it is not really _necessary_ to
| read 99.999% PDFs out there.
| BoingBoomTschak wrote:
| You can build mupdf with -javascript on Gentoo (I also bwrap it
| to hell, personally).
| 0xKelsey wrote:
| That's both awesome and terrifying security-wise.
| freedomben wrote:
| A few questions if you're willing:
|
| 1. What led you to want to do this project?
|
| 2. Have you worked with PDFs before? Do you work with PDFs as
| part of your day job?
|
| 3. Have you implemented Tetris before or is this your first time?
|
| 4. How long did it take you?
| casey2 wrote:
| I believe there is a bug with the T block, I think I managed to
| overlap some blocks
| rgmerk wrote:
| This is Evil Genius level work. Congratulations!
|
| Did you do the actual coding in Acrobat or is there a less
| painful way to write embedded JS in a PDF?
| theginger wrote:
| I hope to see this evolved into doom by the end of the year. And
| it better not be just monochrome
| nejsjsjsbsb wrote:
| PDFs, Regexes and Typescript Compiler make great runtimes!
| Uptrenda wrote:
| I did the same but with snake: https://roberts.pm/resume.pdf
| (Game at bottom -- though only works in Firefox and adobe. Now I
| need to add chrome support, thanks op. lmao)
|
| Edit: here's the code for my snake game too, btw =
| https://github.com/robertsdotpm/resume/blob/main/snake.js
| toddm wrote:
| This is really cool and fun!
|
| I don't know much about the security issues others have raised,
| but if you're good enough to make this thing then I deserve to be
| pwned by you.
|
| Chapeau!
| Uptrenda wrote:
| OP, I still don't really understand how you got it to work in
| Chrome?
| tamersalama wrote:
| Take that RAG parser
| _bydex wrote:
| I dont have a kindle to test, but i wonder if this works on a
| kindle
| wizzwizz4 wrote:
| Almost certainly not. Kindle's native format is MOBI, not PDF.
| weddingbell wrote:
| I printed the PDF on A4 paper, but Tetris doesn't work! lol
| 8mobile wrote:
| playing Tetris on a pdf is the last thing I would have thought
| of. Kudos for the idea and implementation. To start a new game do
| I have to reload the pdf? Thanks
| amunozo wrote:
| Lol, I love it. Why didn't you include points multipliers when
| more than one line is filled though?
| chimo777 wrote:
| That's amazing! It goes beyond my understanding of PDFs.
| ustad wrote:
| That reminded to disable javascript in pdfjs that is used in
| firefox.
|
| Feel much safer!
| aoeb wrote:
| Open about:config
|
| Search for "pdfjs.enableScripting"
|
| Set to false.
| phforms wrote:
| Apparently, it is set to false by default in Zen Browser. In
| my Firefox it was still true.
| vasco wrote:
| So you also disable it for normal browsing?
| aceazzameen wrote:
| Whew! I didn't realize it was enabled already.
| Uptrenda wrote:
| Well OP, you have definitely made me reconsider my assumptions
| about PDFium. I had assumed that JS didn't work altogether in
| Chrome. But clearly there's just bugs in the code I wrote. You've
| inspired me to have another crack at solving it. But definitely
| when the time is right. It's going to be a lot of hair pulling, I
| can see that now.
|
| I'm not sure what your process was for testing your scripts: but
| for me because there was no meaningful error output I had to
| incrementally build up my script line by line (which took
| forever.) So I thought I'd done well when I got my stuff working
| in Adobe + Firefox. I wonder if now everyone is going to add
| similar scripts to their resumes :p Doom will be next, maybe?
| Shinchy wrote:
| That's truly amazing! I knew you could do a lot with PDF but that
| not to this extent.
| jeffhuys wrote:
| I actually am kind-of happy that this doesn't work on Mac (if you
| don't install Acrobat) / preview.
| ReneFroger wrote:
| I'm wondering if running Doom in PDF files might be achievable,
| or is that a step too far away?
| vanderZwan wrote:
| Probably in the domain of _technically_ possible but good luck
| trying to get it to run fast enough and with little enough
| memory that the PDF engine doesn 't crash.
| darkce wrote:
| so good
| shekywakey wrote:
| Will you call it the "Thomas Engine" that powers simple GUI games
| on PDF?
| LetsGetTechnicl wrote:
| This is an affront against god. Good work.
| weinzierl wrote:
| It's hard to overstate the ingenuity that went into this!
|
| Despite what people say in the comments here, both browsers
| really do not let you execute PDF JavaScript willy nilly. Outside
| of browser environments you are mostly safe anyway because
| JavaScript is rarely supported, with the big exception being
| Acrobat. The cleverness of pdftris is not so much Tetris in PDF
| but how it found its way around the restrictions that browser
| environments have put up to protect us.
|
| From what I understand pdftris also only works because of user
| interaction. I think there is no way to run JavaScript in a PDF
| without user interaction.
| brumar wrote:
| You can manipulate form fields at anytime, and setInterval is
| provided so you can have things that run in an infinite loop.
| But yeah, as a first approximation, the only things js in pdf
| can do is mutate form fields and react to events related to
| form fields, unless your pdf reader is acrobat and that's
| something else entirely.
| weinzierl wrote:
| My point is that nothing runs without at least one initial
| user interaction - which makes a big difference for security.
|
| I believe this is even true for Acrobat with default
| settings, because while you can trigger JavaScript when a
| document is opened (/OpenAction) Acrobat will ask for
| permission.
| brumar wrote:
| I think I got your point but might have expressed myself
| badly. The pdf can run js and messes with the display right
| at opening time, without any warning or ask for permission.
| weinzierl wrote:
| Exactly, thanks for the clarification.
| shivekkhurana wrote:
| But can it run Doom ?
| ninalanyon wrote:
| I'm very pleased that this did not work in Firefox on Linux Mint.
| Unfortunately it does work in Vivaldi.
| skykooler wrote:
| It works in Firefox on Manjaro.
| enews01 wrote:
| Wow this was quite fun and impressive! Looks like it doesn't work
| on Firefox, I wonder why.
| jancek27 wrote:
| Just played it on Firefox. Maybe we have different browser
| settings?
| julian37 wrote:
| Works fine here (134.0 on macOS)
| rhokstar wrote:
| I would be surprised if Doom was playable in a PDF that was being
| read in a LCD screen of a thermometer.
| brettermeier wrote:
| You would or wouldn't be surprised?
| swyx wrote:
| ... why exactly do PDF engines have to run javascript? wtf?
| kleiba wrote:
| A friend of mine once applied for a job with the local PT
| operator. For that, I finagled the PDF of his CV such that after
| a minute or so, one of the company's trains would drive over the
| page from left to right at the very bottom.
|
| He never heard back from them.
___________________________________________________________________
(page generated 2025-01-11 23:01 UTC)