More on bug #54682 - check for the end offset overflowing too

author Nick Burch <nick@apache.org>

Wed, 29 May 2013 17:31:50 +0000 (17:31 +0000)

committer Nick Burch <nick@apache.org>

Wed, 29 May 2013 17:31:50 +0000 (17:31 +0000)
author Nick Burch <nick@apache.org>
Wed, 29 May 2013 17:31:50 +0000 (17:31 +0000)
committer Nick Burch <nick@apache.org>
Wed, 29 May 2013 17:31:50 +0000 (17:31 +0000)
diff --git a/src/scratchpad/src/org/apache/poi/hwpf/model/UnhandledDataStructure.java b/src/scratchpad/src/org/apache/poi/hwpf/model/UnhandledDataStructure.java

index 6cf53f746021c24c19b75c101be0bd26034c9c99..967f46e803e527eb774e343a9705cf7d5f9d29ed 100644 (file)
--- a/src/scratchpad/src/org/apache/poi/hwpf/model/UnhandledDataStructure.java
+++ b/src/scratchpad/src/org/apache/poi/hwpf/model/UnhandledDataStructure.java
@@ -34,10 +34,12 @@ public final class UnhandledDataStructure
    public UnhandledDataStructure(byte[] buf, int offset, int length)
    {
      // Sanity check the size they've asked for
-    if (offset + length > buf.length)
+    int offsetEnd = offset + length;
+    if (offsetEnd > buf.length || offsetEnd < 0)
      {
        throw new IndexOutOfBoundsException("Buffer Length is " + buf.length + " " +
-                                          "but code is tried to read " + length + " from offset " + offset);
+                                          "but code is tried to read " + length + " " + 
+                                          "from offset " + offset + " to " + offsetEnd);
      }
      if (offset < 0 || length < 0)
      {
@@ -46,7 +48,7 @@ public final class UnhandledDataStructure
      }
      
      // Save that requested portion of the data 
-    _buf = Arrays.copyOfRange(buf, offset, offset + length);
+    _buf = Arrays.copyOfRange(buf, offset, offsetEnd);
    }
  
    byte[] getBuf()
author	Nick Burch <nick@apache.org>
	Wed, 29 May 2013 17:31:50 +0000 (17:31 +0000)
committer	Nick Burch <nick@apache.org>
	Wed, 29 May 2013 17:31:50 +0000 (17:31 +0000)