[bug-65899] fix issue where malformed tnef file can cause memory problems

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1898208 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hmef/attribute/MAPIAttribute.java b/poi-scratchpad/src/main/java/org/apache/poi/hmef/attribute/MAPIAttribute.java
index 18f47d065443de3b0bdf774ccc5025b715743429..0338ed62dc83feded8628d0a5c348c2dd55b5071 100644 (file)
--- a/poi-scratchpad/src/main/java/org/apache/poi/hmef/attribute/MAPIAttribute.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hmef/attribute/MAPIAttribute.java
@@ -150,7 +150,9 @@ public class MAPIAttribute {
          MAPIProperty prop = MAPIProperty.get(id);
          if(id >= 0x8000 && id <= 0xFFFF) {
             byte[] guid = new byte[16];
-            IOUtils.readFully(inp, guid);
+            if (IOUtils.readFully(inp, guid) < 0) {
+               throw new IOException("Not enough data to read guid");
+            }
             int mptype = LittleEndian.readInt(inp);
 
             // Get the name of it
@@ -164,7 +166,9 @@ public class MAPIAttribute {
                // Custom name was stored
                int mplen = LittleEndian.readInt(inp);
                byte[] mpdata = IOUtils.safelyAllocate(mplen, MAX_RECORD_LENGTH);
-               IOUtils.readFully(inp, mpdata);
+               if (IOUtils.readFully(inp, mpdata) < 0) {
+                  throw new IOException("Not enough data to read " + mplen + " bytes for attribute name");
+               }
                name = StringUtil.getFromUnicodeLE(mpdata, 0, (mplen/2)-1);
                skipToBoundary(mplen, inp);
             }
@@ -189,7 +193,9 @@ public class MAPIAttribute {
          for(int j=0; j<values; j++) {
             int len = getLength(type, inp);
             byte[] data = IOUtils.safelyAllocate(len, MAX_RECORD_LENGTH);
-            IOUtils.readFully(inp, data);
+            if (IOUtils.readFully(inp, data) < 0) {
+               throw new IOException("Not enough data to read " + len + " bytes of attribute value");
+            }
             skipToBoundary(len, inp);
 
             // Create

diff --git a/poi-scratchpad/src/test/java/org/apache/poi/hmef/attribute/TestTNEFAttributes.java b/poi-scratchpad/src/test/java/org/apache/poi/hmef/attribute/TestTNEFAttributes.java
index 9e305269992faa384bcf5e7fd981d87685604fb6..7d8869988e7e2c2ec04cab77e15a5eb85d9d438d 100644 (file)
--- a/poi-scratchpad/src/test/java/org/apache/poi/hmef/attribute/TestTNEFAttributes.java
+++ b/poi-scratchpad/src/test/java/org/apache/poi/hmef/attribute/TestTNEFAttributes.java
@@ -19,8 +19,10 @@ package org.apache.poi.hmef.attribute;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import java.io.ByteArrayInputStream;
+import java.io.IOException;
 import java.io.InputStream;
 import java.nio.charset.StandardCharsets;
 import java.text.DateFormat;
@@ -47,6 +49,17 @@ public final class TestTNEFAttributes {
         }
     }
 
+    /**
+     * Test malformed TNEF is detected by MAPIAttribute and does not cause Out Of Memory error
+     */
+    @Test
+    void testMalformedTNEF() throws Exception {
+        try (InputStream is = _samples.openResourceAsStream("oom.tnef")) {
+            quick = new HMEFMessage(is);
+        } catch (Exception e) {
+            assertTrue(e instanceof IOException);
+        }
+    }
     /**
      * Test counts
      */

diff --git a/test-data/hmef/oom.tnef b/test-data/hmef/oom.tnef
new file mode 100644 (file)
index 0000000..58459aa
Binary files /dev/null and b/test-data/hmef/oom.tnef differ