Bug 66425: Avoid exceptions found via poi-fuzz

Prevent StackOverflow via endless nesting

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65303

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1914989 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/BaseTestPPTIterating.java b/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/BaseTestPPTIterating.java
index be18652602a638a0b3fc06f7ab9a5d2cb84318f6..79b200dcca7d7ae18b48d751003cd52586a255fb 100644 (file)
--- a/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/BaseTestPPTIterating.java
+++ b/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/BaseTestPPTIterating.java
@@ -70,6 +70,7 @@ public abstract class BaseTestPPTIterating {
         EXCLUDED.put("clusterfuzz-testcase-minimized-POIFuzzer-6411649193738240.ppt", FileNotFoundException.class);
         EXCLUDED.put("clusterfuzz-testcase-minimized-POIHSLFFuzzer-4838893004128256.ppt", FileNotFoundException.class);
         EXCLUDED.put("clusterfuzz-testcase-minimized-POIHSLFFuzzer-4624961081573376.ppt", FileNotFoundException.class);
+        EXCLUDED.put("clusterfuzz-testcase-minimized-POIHSLFFuzzer-5018229722382336.ppt", RuntimeException.class);
     }
 
     public static Stream<Arguments> files() {

diff --git a/poi/src/main/java/org/apache/poi/ddf/EscherContainerRecord.java b/poi/src/main/java/org/apache/poi/ddf/EscherContainerRecord.java
index da4d2a32898752217c61ecc23451d2b1ad56583a..ab30e2c404e1017a5b2266a5ac03367107ad9a8b 100644 (file)
--- a/poi/src/main/java/org/apache/poi/ddf/EscherContainerRecord.java
+++ b/poi/src/main/java/org/apache/poi/ddf/EscherContainerRecord.java
@@ -91,7 +91,7 @@ public final class EscherContainerRecord extends EscherRecord implements Iterabl
         return fillFields(data, pOffset, recordFactory, 0);
     }
 
-    private int fillFields(byte[] data, int pOffset, EscherRecordFactory recordFactory, int nesting) {
+    int fillFields(byte[] data, int pOffset, EscherRecordFactory recordFactory, int nesting) {
         if (nesting > MAX_NESTED_CHILD_NODES) {
             throw new IllegalStateException("Had more than the limit of " + MAX_NESTED_CHILD_NODES + " nested child notes");
         }
@@ -104,6 +104,8 @@ public final class EscherContainerRecord extends EscherRecord implements Iterabl
             final int childBytesWritten;
             if (child instanceof EscherContainerRecord) {
                 childBytesWritten = ((EscherContainerRecord)child).fillFields(data, offset, recordFactory, nesting + 1);
+            } else if (child instanceof UnknownEscherRecord) {
+                childBytesWritten = ((UnknownEscherRecord)child).fillFields(data, offset, recordFactory, nesting + 1);
             } else {
                 childBytesWritten = child.fillFields(data, offset, recordFactory);
             }

diff --git a/poi/src/main/java/org/apache/poi/ddf/UnknownEscherRecord.java b/poi/src/main/java/org/apache/poi/ddf/UnknownEscherRecord.java
index c6e71ea0990b2552bca2a81b48e5a4abdfb9a03b..475cfdecaef1a5aa1a59c9d62ad715bf7ca6c60e 100644 (file)
--- a/poi/src/main/java/org/apache/poi/ddf/UnknownEscherRecord.java
+++ b/poi/src/main/java/org/apache/poi/ddf/UnknownEscherRecord.java
@@ -32,13 +32,14 @@ import org.apache.poi.util.LittleEndian;
  * we do not explicitly support.
  */
 public final class UnknownEscherRecord extends EscherRecord {
-
     //arbitrarily selected; may need to increase
     private static final int DEFAULT_MAX_RECORD_LENGTH = 100_000_000;
     private static int MAX_RECORD_LENGTH = DEFAULT_MAX_RECORD_LENGTH;
 
     private static final byte[] NO_BYTES = new byte[0];
 
+    private static final int MAX_NESTED_CHILD_NODES = 1000;
+
     /** The data for this record not including the 8 byte header */
     private byte[] thedata = NO_BYTES;
     private final List<EscherRecord> _childRecords = new ArrayList<>();
@@ -66,6 +67,14 @@ public final class UnknownEscherRecord extends EscherRecord {
 
     @Override
     public int fillFields(byte[] data, int offset, EscherRecordFactory recordFactory) {
+        return fillFields(data, offset, recordFactory, 0);
+    }
+
+    int fillFields(byte[] data, int offset, EscherRecordFactory recordFactory, int nesting) {
+        if (nesting > MAX_NESTED_CHILD_NODES) {
+            throw new IllegalStateException("Had more than the limit of " + MAX_NESTED_CHILD_NODES + " nested child notes");
+        }
+
         int bytesRemaining = readHeader( data, offset );
         /*
          * Have a check between available bytes and bytesRemaining,
@@ -83,7 +92,13 @@ public final class UnknownEscherRecord extends EscherRecord {
             bytesWritten += 8;
             while ( bytesRemaining > 0 ) {
                 EscherRecord child = recordFactory.createRecord( data, offset );
-                int childBytesWritten = child.fillFields( data, offset, recordFactory );
+                final int childBytesWritten;
+
+                if (child instanceof EscherContainerRecord) {
+                    childBytesWritten = ((EscherContainerRecord)child).fillFields(data, offset, recordFactory, nesting + 1);
+                } else {
+                    childBytesWritten = child.fillFields(data, offset, recordFactory);
+                }
                 bytesWritten += childBytesWritten;
                 offset += childBytesWritten;
                 bytesRemaining -= childBytesWritten;

diff --git a/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-5018229722382336.ppt b/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-5018229722382336.ppt
new file mode 100644 (file)
index 0000000..29c3324
Binary files /dev/null and b/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-5018229722382336.ppt differ

diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls
index 686638aa5314c5470251ba8362866fa8d796b083..43e8f6950df06c0b99b5101fae617ea2a07f706a 100644 (file)
Binary files a/test-data/spreadsheet/stress.xls and b/test-data/spreadsheet/stress.xls differ