bug 61300 -- prevent really long (infinite?) loop on corrupt file

author Tim Allison <tallison@apache.org>

Fri, 14 Jul 2017 20:47:40 +0000 (20:47 +0000)

committer Tim Allison <tallison@apache.org>

Fri, 14 Jul 2017 20:47:40 +0000 (20:47 +0000)
author Tim Allison <tallison@apache.org>
Fri, 14 Jul 2017 20:47:40 +0000 (20:47 +0000)
committer Tim Allison <tallison@apache.org>
Fri, 14 Jul 2017 20:47:40 +0000 (20:47 +0000)
diff --git a/src/integrationtest/org/apache/poi/TestAllFiles.java b/src/integrationtest/org/apache/poi/TestAllFiles.java

index 9a9ba8864f9f3bf39d6ea37420aa5e79d71c8f3c..b84257d13ee835f601457709dea0e3374ccf8284 100644 (file)
--- a/src/integrationtest/org/apache/poi/TestAllFiles.java
+++ b/src/integrationtest/org/apache/poi/TestAllFiles.java
@@ -331,7 +331,8 @@ public class TestAllFiles {
          // need JDK8+ - https://bugs.openjdk.java.net/browse/JDK-8038081
          "slideshow/42474-2.ppt",
          // OPC handler works / XSSF handler fails
-        "spreadsheet/57181.xlsm"
+        "spreadsheet/57181.xlsm",
+        "spreadsheet/61300.xls"//intentionally fuzzed -- used to cause infinite loop
      );
  
      @Parameters(name="{index}: {0} using {1}")
diff --git a/src/integrationtest/org/apache/poi/stress/HSSFFileHandler.java b/src/integrationtest/org/apache/poi/stress/HSSFFileHandler.java

index c2928e72c0b8e754329b6a2b5b40ebe27fa711ad..0f6f65d0b7d030f9ad15b68dab4f99defa486549 100644 (file)
--- a/src/integrationtest/org/apache/poi/stress/HSSFFileHandler.java
+++ b/src/integrationtest/org/apache/poi/stress/HSSFFileHandler.java
@@ -16,6 +16,17 @@
  ==================================================================== */
  package org.apache.poi.stress;
  
+import static org.junit.Assert.assertFalse;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.PrintStream;
+import java.util.HashSet;
+import java.util.Set;
+
  import org.apache.poi.EncryptedDocumentException;
  import org.apache.poi.hssf.OldExcelFormatException;
  import org.apache.poi.hssf.dev.BiffViewer;
@@ -23,12 +34,6 @@ import org.apache.poi.hssf.usermodel.HSSFWorkbook;
  import org.apache.poi.util.RecordFormatException;
  import org.junit.Test;
  
-import java.io.*;
-import java.util.HashSet;
-import java.util.Set;
-
-import static org.junit.Assert.assertFalse;
-
  public class HSSFFileHandler extends SpreadsheetHandler {
         private final POIFSFileHandler delegate = new POIFSFileHandler();
         @Override
@@ -61,6 +66,7 @@ public class HSSFFileHandler extends SpreadsheetHandler {
                 EXPECTED_ADDITIONAL_FAILURES.add("spreadsheet/50833.xls");
                 EXPECTED_ADDITIONAL_FAILURES.add("spreadsheet/51832.xls");
                 EXPECTED_ADDITIONAL_FAILURES.add("spreadsheet/XRefCalc.xls");
+               EXPECTED_ADDITIONAL_FAILURES.add("spreadsheet/61300.xls");
         }
  
         @Override
diff --git a/src/java/org/apache/poi/poifs/filesystem/NDocumentInputStream.java b/src/java/org/apache/poi/poifs/filesystem/NDocumentInputStream.java

index 5c9d35da235bcd0208f5380776978c2bcb681f88..848fd9f0063a950d13db6352420e088483ebc3a7 100644 (file)
--- a/src/java/org/apache/poi/poifs/filesystem/NDocumentInputStream.java
+++ b/src/java/org/apache/poi/poifs/filesystem/NDocumentInputStream.java
@@ -70,6 +70,9 @@ public final class NDocumentInputStream extends DocumentInputStream {
          _document_size = document.getSize();
          _closed = false;
  
+        if (_document_size < 0) {
+            //throw new RecordFormatException("Document size can't be < 0");
+        }
          DocumentNode doc = (DocumentNode)document;
          DocumentProperty property = (DocumentProperty)doc.getProperty();
          _document = new NPOIFSDocument(
@@ -248,6 +251,10 @@ public final class NDocumentInputStream extends DocumentInputStream {
  
     @Override
         public void readFully(byte[] buf, int off, int len) {
+        if (len < 0) {
+           throw new RuntimeException("Can't read negative number of bytes");
+        }
+
                 checkAvaliable(len);
  
                 int read = 0;
diff --git a/src/java/org/apache/poi/poifs/filesystem/ODocumentInputStream.java b/src/java/org/apache/poi/poifs/filesystem/ODocumentInputStream.java

index 9b6ce33f46ab2158a86bc754dad6e0b836963787..cc280390ef43f46275b8d86365d4a6ee09ae5734 100644 (file)
--- a/src/java/org/apache/poi/poifs/filesystem/ODocumentInputStream.java
+++ b/src/java/org/apache/poi/poifs/filesystem/ODocumentInputStream.java
@@ -20,6 +20,7 @@ package org.apache.poi.poifs.filesystem;
  import java.io.IOException;
  
  import org.apache.poi.poifs.storage.DataInputBlock;
+import org.apache.poi.util.RecordFormatException;
  
  /**
   * This class provides methods to read a DocumentEntry managed by a
@@ -64,6 +65,9 @@ public final class ODocumentInputStream extends DocumentInputStream {
                 _current_offset = 0;
                 _marked_offset = 0;
                 _document_size = document.getSize();
+               if (_document_size < 0) {
+                       throw new RecordFormatException("document_size cannot be < 0");
+               }
                 _closed = false;
                 _document = documentNode.getDocument();
                 _currentBlock = getDataInputBlock(0);
diff --git a/src/java/org/apache/poi/util/BoundedInputStream.java b/src/java/org/apache/poi/util/BoundedInputStream.java

index 1cdeb39f33993f613ac55b3c61171b02ac2ba3da..1ef84d9ff094d4d7504961fb10a08a38c34e208d 100644 (file)
--- a/src/java/org/apache/poi/util/BoundedInputStream.java
+++ b/src/java/org/apache/poi/util/BoundedInputStream.java
@@ -19,8 +19,6 @@ package org.apache.poi.util;
  import java.io.IOException;
  import java.io.InputStream;
  
-import org.apache.poi.util.SuppressForbidden;
-
  /**
   * This is a stream that will only supply bytes up to a certain length - if its
   * position goes above that, it will stop.
diff --git a/src/java/org/apache/poi/util/IOUtils.java b/src/java/org/apache/poi/util/IOUtils.java

index 296d92cf08379ffee08192955e2f772cf62ddb95..25e5652d93fb4c7dbd483aa52c65931dc580f99a 100644 (file)
--- a/src/java/org/apache/poi/util/IOUtils.java
+++ b/src/java/org/apache/poi/util/IOUtils.java
@@ -310,6 +310,9 @@ public final class IOUtils {
          byte[] buff = new byte[4096];
          int count;
          while ((count = inp.read(buff)) != -1) {
+            if (count < -1) {
+                throw new RecordFormatException("Can't have read < -1 bytes");
+            }
              if (count > 0) {
                  out.write(buff, 0, count);
              }
diff --git a/src/testcases/org/apache/poi/hssf/dev/TestBiffDrawingToXml.java b/src/testcases/org/apache/poi/hssf/dev/TestBiffDrawingToXml.java

index ffcb676d5cb1658899abcd0a97b16edf06da9892..c739364c42b111f09d1f173d8dea8612e2a02cad 100644 (file)
--- a/src/testcases/org/apache/poi/hssf/dev/TestBiffDrawingToXml.java
+++ b/src/testcases/org/apache/poi/hssf/dev/TestBiffDrawingToXml.java
@@ -24,6 +24,7 @@ import java.io.PrintStream;
  import org.apache.poi.EncryptedDocumentException;
  import org.apache.poi.hssf.OldExcelFormatException;
  import org.apache.poi.hssf.record.RecordInputStream;
+import org.apache.poi.util.RecordFormatException;
  import org.junit.BeforeClass;
  
  public class TestBiffDrawingToXml extends BaseXLSIteratingTest {
@@ -45,6 +46,7 @@ public class TestBiffDrawingToXml extends BaseXLSIteratingTest {
          EXCLUDED.put("60284.xls", OldExcelFormatException.class); // Biff 5 / Excel 95
          EXCLUDED.put("43493.xls", RecordInputStream.LeftoverDataException.class);  // HSSFWorkbook cannot open it as well
          EXCLUDED.put("44958_1.xls", RecordInputStream.LeftoverDataException.class);
+        EXCLUDED.put("61300.xls", RecordFormatException.class);
      }
         
         @Override
diff --git a/src/testcases/org/apache/poi/hssf/dev/TestBiffViewer.java b/src/testcases/org/apache/poi/hssf/dev/TestBiffViewer.java

index 5a36de494032e9c6c641840090de6db06a83555f..414ae7f2fe09c9f9adab659b2720895925119046 100644 (file)
--- a/src/testcases/org/apache/poi/hssf/dev/TestBiffViewer.java
+++ b/src/testcases/org/apache/poi/hssf/dev/TestBiffViewer.java
@@ -28,6 +28,7 @@ import org.apache.poi.hssf.OldExcelFormatException;
  import org.apache.poi.hssf.record.RecordInputStream;
  import org.apache.poi.poifs.filesystem.NPOIFSFileSystem;
  import org.apache.poi.util.LocaleUtil;
+import org.apache.poi.util.RecordFormatException;
  import org.junit.BeforeClass;
  import org.junit.Ignore;
  import org.junit.Test;
@@ -53,6 +54,7 @@ public class TestBiffViewer extends BaseXLSIteratingTest {
          // EXCLUDED.put("44958_1.xls", RecordInputStream.LeftoverDataException.class);
          EXCLUDED.put("50833.xls", IllegalArgumentException.class);       // "Name is too long" when setting username
          EXCLUDED.put("XRefCalc.xls", RuntimeException.class);            // "Buffer overrun"
+        EXCLUDED.put("61300.xls", RecordFormatException.class);
      }
  
      @Override
diff --git a/src/testcases/org/apache/poi/hssf/dev/TestEFBiffViewer.java b/src/testcases/org/apache/poi/hssf/dev/TestEFBiffViewer.java

index e07b9ff8e93083be0f049e2fea2a579d57803c27..0ba83ae55f35481476befaa701d5668a503eaf07 100644 (file)
--- a/src/testcases/org/apache/poi/hssf/dev/TestEFBiffViewer.java
+++ b/src/testcases/org/apache/poi/hssf/dev/TestEFBiffViewer.java
@@ -24,6 +24,7 @@ import org.apache.poi.EncryptedDocumentException;
  import org.apache.poi.hssf.OldExcelFormatException;
  import org.apache.poi.hssf.record.RecordInputStream;
  import org.apache.poi.util.LocaleUtil;
+import org.apache.poi.util.RecordFormatException;
  import org.junit.BeforeClass;
  
  public class TestEFBiffViewer extends BaseXLSIteratingTest {
@@ -46,6 +47,7 @@ public class TestEFBiffViewer extends BaseXLSIteratingTest {
          EXCLUDED.put("43493.xls", RecordInputStream.LeftoverDataException.class);  // HSSFWorkbook cannot open it as well
          EXCLUDED.put("44958_1.xls", RecordInputStream.LeftoverDataException.class);
          EXCLUDED.put("XRefCalc.xls", RuntimeException.class);            // "Buffer overrun"
+        EXCLUDED.put("61300.xls", RecordFormatException.class);
      }
         
         @Override
diff --git a/src/testcases/org/apache/poi/hssf/dev/TestFormulaViewer.java b/src/testcases/org/apache/poi/hssf/dev/TestFormulaViewer.java

index 3e575f22baac4c0de330d08cc36bca60c22ae457..a272fc93144e75fbd1c543e3f3c503de438e6721 100644 (file)
--- a/src/testcases/org/apache/poi/hssf/dev/TestFormulaViewer.java
+++ b/src/testcases/org/apache/poi/hssf/dev/TestFormulaViewer.java
@@ -25,6 +25,7 @@ import org.apache.poi.EncryptedDocumentException;
  import org.apache.poi.hssf.OldExcelFormatException;
  import org.apache.poi.hssf.record.RecordInputStream;
  import org.apache.poi.util.LocaleUtil;
+import org.apache.poi.util.RecordFormatException;
  import org.junit.BeforeClass;
  
  public class TestFormulaViewer extends BaseXLSIteratingTest {
@@ -46,6 +47,7 @@ public class TestFormulaViewer extends BaseXLSIteratingTest {
          EXCLUDED.put("60284.xls", OldExcelFormatException.class); // Biff 5 / Excel 95
          EXCLUDED.put("43493.xls", RecordInputStream.LeftoverDataException.class);  // HSSFWorkbook cannot open it as well
          EXCLUDED.put("44958_1.xls", RecordInputStream.LeftoverDataException.class);
+        EXCLUDED.put("61300.xls", RecordFormatException.class);
      }
         
      @Override
diff --git a/src/testcases/org/apache/poi/hssf/dev/TestReSave.java b/src/testcases/org/apache/poi/hssf/dev/TestReSave.java

index b1ae03aa9ac75dcc88fcd562901797f0e4870a6a..09d560de7ede27abba6883896d567bb4dab09c77 100644 (file)
--- a/src/testcases/org/apache/poi/hssf/dev/TestReSave.java
+++ b/src/testcases/org/apache/poi/hssf/dev/TestReSave.java
@@ -16,20 +16,21 @@
  ==================================================================== */
  package org.apache.poi.hssf.dev;
  
+import static org.junit.Assert.assertTrue;
+
+import java.io.File;
+import java.io.PrintStream;
+
  import org.apache.poi.EncryptedDocumentException;
  import org.apache.poi.POIDataSamples;
  import org.apache.poi.hssf.OldExcelFormatException;
  import org.apache.poi.hssf.record.RecordInputStream;
  import org.apache.poi.util.LocaleUtil;
+import org.apache.poi.util.RecordFormatException;
  import org.junit.BeforeClass;
  import org.junit.Ignore;
  import org.junit.Test;
  
-import java.io.File;
-import java.io.PrintStream;
-
-import static org.junit.Assert.assertTrue;
-
  public class TestReSave extends BaseXLSIteratingTest {
      @BeforeClass
      public static void setup() {
@@ -50,6 +51,7 @@ public class TestReSave extends BaseXLSIteratingTest {
          EXCLUDED.put("43493.xls", RecordInputStream.LeftoverDataException.class);  // HSSFWorkbook cannot open it as well
          EXCLUDED.put("44958_1.xls", RecordInputStream.LeftoverDataException.class);
          EXCLUDED.put("XRefCalc.xls", RuntimeException.class);            // "Buffer overrun"
+        EXCLUDED.put("61300.xls", RecordFormatException.class);
      }
  
         @Override
diff --git a/src/testcases/org/apache/poi/hssf/dev/TestRecordLister.java b/src/testcases/org/apache/poi/hssf/dev/TestRecordLister.java

index a74846d463948f0b053ba7935667382b0c93ebf2..cf0907ea6ebdc7e68e7f0f17249be4e7ab7b1fa6 100644 (file)
--- a/src/testcases/org/apache/poi/hssf/dev/TestRecordLister.java
+++ b/src/testcases/org/apache/poi/hssf/dev/TestRecordLister.java
@@ -22,6 +22,7 @@ import java.io.PrintStream;
  
  import org.apache.poi.hssf.OldExcelFormatException;
  import org.apache.poi.util.LocaleUtil;
+import org.apache.poi.util.RecordFormatException;
  import org.junit.BeforeClass;
  
  public class TestRecordLister extends BaseXLSIteratingTest {
@@ -37,6 +38,7 @@ public class TestRecordLister extends BaseXLSIteratingTest {
          EXCLUDED.put("60284.xls", OldExcelFormatException.class); // Biff 5 / Excel 5
          EXCLUDED.put("testEXCEL_95.xls", OldExcelFormatException.class); // Biff 5 / Excel 95
          EXCLUDED.put("60284.xls", OldExcelFormatException.class); // Biff 5 / Excel 95
+        EXCLUDED.put("61300.xls", RecordFormatException.class);
  
      }
         
diff --git a/src/testcases/org/apache/poi/hssf/usermodel/TestBugs.java b/src/testcases/org/apache/poi/hssf/usermodel/TestBugs.java

index adc07bd952fc4cd90c2148d4e0ba64f00d18167f..f249fadf40af8e7f32355f5580b5f4baa2421727 100644 (file)
--- a/src/testcases/org/apache/poi/hssf/usermodel/TestBugs.java
+++ b/src/testcases/org/apache/poi/hssf/usermodel/TestBugs.java
@@ -45,6 +45,8 @@ import java.util.Locale;
  import java.util.TimeZone;
  
  import org.apache.poi.EncryptedDocumentException;
+import org.apache.poi.hpsf.PropertySet;
+import org.apache.poi.hpsf.SummaryInformation;
  import org.apache.poi.hssf.HSSFITestDataProvider;
  import org.apache.poi.hssf.HSSFTestDataSamples;
  import org.apache.poi.hssf.OldExcelFormatException;
@@ -63,6 +65,8 @@ import org.apache.poi.hssf.record.aggregates.PageSettingsBlock;
  import org.apache.poi.hssf.record.aggregates.RecordAggregate;
  import org.apache.poi.hssf.record.common.UnicodeString;
  import org.apache.poi.hssf.record.crypto.Biff8EncryptionKey;
+import org.apache.poi.poifs.filesystem.DocumentEntry;
+import org.apache.poi.poifs.filesystem.DocumentInputStream;
  import org.apache.poi.poifs.filesystem.NPOIFSFileSystem;
  import org.apache.poi.poifs.filesystem.OPOIFSFileSystem;
  import org.apache.poi.poifs.filesystem.POIFSFileSystem;
@@ -3139,4 +3143,15 @@ public final class TestBugs extends BaseTestBugzillaIssues {
          wb.close();
      }
  
+    @Test(expected = RuntimeException.class)
+    public void test61300() throws Exception {
+        NPOIFSFileSystem npoifs = new NPOIFSFileSystem(HSSFTestDataSamples.openSampleFileStream("61300.xls"));
+
+        DocumentEntry entry =
+                (DocumentEntry) npoifs.getRoot().getEntry(SummaryInformation.DEFAULT_STREAM_NAME);
+        PropertySet properties =
+                new PropertySet(new DocumentInputStream(entry));
+
+    }
+
  }
diff --git a/test-data/spreadsheet/61300.xls b/test-data/spreadsheet/61300.xls

new file mode 100644 (file)

index 0000000..0b54c8c

Binary files /dev/null and b/test-data/spreadsheet/61300.xls differ
author	Tim Allison <tallison@apache.org>
	Fri, 14 Jul 2017 20:47:40 +0000 (20:47 +0000)
committer	Tim Allison <tallison@apache.org>
	Fri, 14 Jul 2017 20:47:40 +0000 (20:47 +0000)
src/integrationtest/org/apache/poi/TestAllFiles.java		patch \| blob \| history
src/integrationtest/org/apache/poi/stress/HSSFFileHandler.java		patch \| blob \| history
src/java/org/apache/poi/poifs/filesystem/NDocumentInputStream.java		patch \| blob \| history
src/java/org/apache/poi/poifs/filesystem/ODocumentInputStream.java		patch \| blob \| history
src/java/org/apache/poi/util/BoundedInputStream.java		patch \| blob \| history
src/java/org/apache/poi/util/IOUtils.java		patch \| blob \| history
src/testcases/org/apache/poi/hssf/dev/TestBiffDrawingToXml.java		patch \| blob \| history
src/testcases/org/apache/poi/hssf/dev/TestBiffViewer.java		patch \| blob \| history
src/testcases/org/apache/poi/hssf/dev/TestEFBiffViewer.java		patch \| blob \| history
src/testcases/org/apache/poi/hssf/dev/TestFormulaViewer.java		patch \| blob \| history
src/testcases/org/apache/poi/hssf/dev/TestReSave.java		patch \| blob \| history
src/testcases/org/apache/poi/hssf/dev/TestRecordLister.java		patch \| blob \| history
src/testcases/org/apache/poi/hssf/usermodel/TestBugs.java		patch \| blob \| history
test-data/spreadsheet/61300.xls	[new file with mode: 0644]	patch \| blob