Limit allocated elements in the PlfLfo structure for word documents

author Dominik Stadler <centic@apache.org>

Thu, 6 Jan 2022 11:10:00 +0000 (11:10 +0000)

committer Dominik Stadler <centic@apache.org>

Thu, 6 Jan 2022 11:10:00 +0000 (11:10 +0000)
author Dominik Stadler <centic@apache.org>
Thu, 6 Jan 2022 11:10:00 +0000 (11:10 +0000)
committer Dominik Stadler <centic@apache.org>
Thu, 6 Jan 2022 11:10:00 +0000 (11:10 +0000)
diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlfLfo.java b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlfLfo.java

index b92c2d41b2a08fb86cb4d4b1fdf3b8ebb68f24d3..a9f54d32c985a768f79aa4b428ed52eed63e40a0 100644 (file)
--- a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlfLfo.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlfLfo.java
@@ -26,6 +26,7 @@ import java.util.NoSuchElementException;
  import org.apache.logging.log4j.LogManager;
  import org.apache.logging.log4j.Logger;
  import org.apache.poi.hwpf.model.types.LFOAbstractType;
+import org.apache.poi.util.IOUtils;
  import org.apache.poi.util.LittleEndian;
  import org.apache.poi.util.LittleEndianConsts;
  
@@ -37,10 +38,11 @@ import static org.apache.logging.log4j.util.Unbox.box;
   * Documentation quoted from Page 424 of 621. [MS-DOC] -- v20110315 Word (.doc)
   * Binary File Format
   */
-public class PlfLfo
-{
+public class PlfLfo {
      private static final Logger LOGGER = LogManager.getLogger(PlfLfo.class);
  
+    private static final int MAX_NUMBER_OF_LFO = 100_000;
+
      /**
       * An unsigned integer that specifies the count of elements in both the
       * rgLfo and rgLfoData arrays.
@@ -76,6 +78,8 @@ public class PlfLfo
                              + Integer.MAX_VALUE + " elements" );
          }
  
+        IOUtils.safelyAllocateCheck(lfoMacLong, MAX_NUMBER_OF_LFO);
+
          this._lfoMac = (int) lfoMacLong;
          _rgLfo = new LFO[_lfoMac];
          _rgLfoData = new LFOData[_lfoMac];
diff --git a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java

index fcae380bbf93d734c7942a93200d89d22c5e7c96..0df1b84f6b9848227b71cbb49eb1a080ab332286 100644 (file)
--- a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java
+++ b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java
@@ -54,7 +54,9 @@ public class TestWordToConverterSuite
          "password_tika_binaryrc4.doc",
          "password_password_cryptoapi.doc",
          // WORD 2.0 file
-        "word2.doc"
+        "word2.doc",
+        // Corrupt file
+        "Fuzzed.doc"
      );
  
      public static Stream<Arguments> files() {
diff --git a/test-data/document/Fuzzed.doc b/test-data/document/Fuzzed.doc

new file mode 100644 (file)

index 0000000..c8201d8

Binary files /dev/null and b/test-data/document/Fuzzed.doc differ
diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls

index 4a3e25361591cbe844ba04989a0dd18c3ae0074a..bd26bf16d125aa4b177c127c07fc871c097558b5 100644 (file)

Binary files a/test-data/spreadsheet/stress.xls and b/test-data/spreadsheet/stress.xls differ
author	Dominik Stadler <centic@apache.org>
	Thu, 6 Jan 2022 11:10:00 +0000 (11:10 +0000)
committer	Dominik Stadler <centic@apache.org>
	Thu, 6 Jan 2022 11:10:00 +0000 (11:10 +0000)
poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlfLfo.java		patch \| blob \| history
poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java		patch \| blob \| history
test-data/document/Fuzzed.doc	[new file with mode: 0644]	patch \| blob
test-data/spreadsheet/stress.xls		patch \| blob \| history