Bug 66425: Add memory-safeguard in one more place

We try to generally avoid overly large allocations in places
where arrays are allocated.

We add one more such check for pictures in HSLF.

We might need to increase the used value of 10MB if users report
larger files being used frequently.

Overriding this check via IOUtils is possible.

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1911525 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowImpl.java b/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowImpl.java
index 70fb2870266a314f0cd9bfc484bd500ca2e042a0..170f42bfcb33dc7a3891bbe42685ad62ba6f2664 100644 (file)
--- a/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowImpl.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowImpl.java
@@ -94,6 +94,7 @@ public final class HSLFSlideShowImpl extends POIDocument implements Closeable {
     private static final int DEFAULT_MAX_RECORD_LENGTH = 200_000_000;
     private static final int MAX_DOCUMENT_SIZE = 100_000_000;
     private static int MAX_RECORD_LENGTH = DEFAULT_MAX_RECORD_LENGTH;
+    private static final int MAX_IMAGE_LENGTH = 10_000_000;
 
     // Holds metadata on where things are in our document
     private CurrentUserAtom currentUser;
@@ -407,7 +408,7 @@ public final class HSLFSlideShowImpl extends POIDocument implements Closeable {
         EscherContainerRecord blipStore = getBlipStore();
         byte[] pictstream;
         try (DocumentInputStream is = getDirectory().createDocumentInputStream(entry)) {
-            pictstream = IOUtils.toByteArray(is, entry.getSize());
+            pictstream = IOUtils.toByteArray(is, entry.getSize(), MAX_IMAGE_LENGTH);
         }
 
         List<PictureFactory> factories = new ArrayList<>();

diff --git a/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestPPTXMLDump.java b/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestPPTXMLDump.java
index c0572750b69879272970eaf57a4147e0f2e55c51..7b85af8ad95304be348b6c2042ef829409e8bed2 100644 (file)
--- a/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestPPTXMLDump.java
+++ b/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestPPTXMLDump.java
@@ -16,17 +16,23 @@
 ==================================================================== */
 package org.apache.poi.hslf.dev;
 
-import static org.junit.jupiter.api.Assertions.assertThrows;
+import org.apache.poi.EmptyFileException;
+import org.apache.poi.hslf.HSLFTestDataSamples;
+import org.junit.jupiter.api.Test;
 
 import java.io.File;
 import java.util.Collections;
+import java.util.HashSet;
 import java.util.Set;
 
-import org.apache.poi.EmptyFileException;
-import org.apache.poi.hslf.HSLFTestDataSamples;
-import org.junit.jupiter.api.Test;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 public class TestPPTXMLDump extends BaseTestPPTIterating {
+    static final Set<String> LOCAL_EXCLUDED = new HashSet<>();
+    static {
+        LOCAL_EXCLUDED.add("clusterfuzz-testcase-minimized-POIHSLFFuzzer-5306877435838464.ppt");
+    }
+
     @Test
     void testMain() throws Exception {
         PPTXMLDump.main(new String[0]);
@@ -41,7 +47,13 @@ public class TestPPTXMLDump extends BaseTestPPTIterating {
 
     @Override
     void runOneFile(File pFile) throws Exception {
-        PPTXMLDump.main(new String[]{pFile.getAbsolutePath()});
+        try {
+           PPTXMLDump.main(new String[]{pFile.getAbsolutePath()});
+        } catch (IndexOutOfBoundsException e) {
+            if (!LOCAL_EXCLUDED.contains(pFile.getName())) {
+                throw e;
+            }
+        }
     }
 
     @Override

diff --git a/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideIdListing.java b/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideIdListing.java
index b75bec517888e03cd07a039fa2092dda57d4e194..f3afc851fb08c8331d35aace5a58e1527fd4537d 100644 (file)
--- a/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideIdListing.java
+++ b/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideIdListing.java
@@ -20,12 +20,19 @@ import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import java.io.File;
 import java.io.IOException;
+import java.util.HashSet;
+import java.util.Set;
 
 import org.apache.poi.EmptyFileException;
 import org.apache.poi.hslf.HSLFTestDataSamples;
 import org.junit.jupiter.api.Test;
 
 public class TestSlideIdListing extends BaseTestPPTIterating {
+    static final Set<String> LOCAL_EXCLUDED = new HashSet<>();
+    static {
+        LOCAL_EXCLUDED.add("clusterfuzz-testcase-minimized-POIHSLFFuzzer-5306877435838464.ppt");
+    }
+
     @Test
     void testMain() throws IOException {
         // calls System.exit(): SlideIdListing.main(new String[0]);
@@ -37,6 +44,12 @@ public class TestSlideIdListing extends BaseTestPPTIterating {
 
     @Override
     void runOneFile(File pFile) throws Exception {
-        SlideIdListing.main(new String[]{pFile.getAbsolutePath()});
+        try {
+            SlideIdListing.main(new String[]{pFile.getAbsolutePath()});
+        } catch (IllegalArgumentException e) {
+            if (!LOCAL_EXCLUDED.contains(pFile.getName())) {
+                throw e;
+            }
+        }
     }
 }
\ No newline at end of file

diff --git a/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-5306877435838464.ppt b/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-5306877435838464.ppt
new file mode 100644 (file)
index 0000000..26c74a2
Binary files /dev/null and b/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-5306877435838464.ppt differ

diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls
index a873b632cb72e537a614246635bd3f62aa38e8ef..70847a482cd28fd42546e61516cf7bfa49290244 100644 (file)
Binary files a/test-data/spreadsheet/stress.xls and b/test-data/spreadsheet/stress.xls differ