Throw an exception if a picture claims to have a negative amount of data. Should...

git-svn-id: https://svn.apache.org/repos/asf/jakarta/poi/trunk@495578 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/src/scratchpad/src/org/apache/poi/hslf/HSLFSlideShow.java b/src/scratchpad/src/org/apache/poi/hslf/HSLFSlideShow.java
index b9a1a67292a95d23464067b9b6eb5409f926b254..774129a9ccdc48ffaab39fbeb9f41085a6aceae9 100644 (file)
--- a/src/scratchpad/src/org/apache/poi/hslf/HSLFSlideShow.java
+++ b/src/scratchpad/src/org/apache/poi/hslf/HSLFSlideShow.java
@@ -35,6 +35,7 @@ import org.apache.poi.hpsf.MutablePropertySet;
 import org.apache.poi.hpsf.SummaryInformation;
 import org.apache.poi.hpsf.DocumentSummaryInformation;
 
+import org.apache.poi.hslf.exceptions.CorruptPowerPointFileException;
 import org.apache.poi.hslf.exceptions.EncryptedPowerPointFileException;
 import org.apache.poi.hslf.record.*;
 import org.apache.poi.hslf.usermodel.PictureData;
@@ -272,6 +273,13 @@ public class HSLFSlideShow extends POIDocument
             byte[] imgdata = new byte[imgsize];
             System.arraycopy(pictstream, pos, imgdata, 0, imgdata.length);
 
+                       // The image size must be 0 or greater
+                       // (0 is allowed, but odd, since we do wind on by the header each
+                       //  time, so we won't get stuck)
+                       if(imgsize < 0) {
+                               throw new CorruptPowerPointFileException("The file contains a picture, at position " + p.size() + ", which has a negatively sized data length, so we can't trust any of the picture data");
+                       }
+
                        // If they type (including the bonus 0xF018) is 0, skip it
                        if(type == 0) {
                                System.err.println("Problem reading picture: Invalid image type 0, on picture with length" + imgsize + ".\nYou document will probably become corrupted if you save it!");