Fix issues found when fuzzing Apache POI via Jazzer

author Dominik Stadler <centic@apache.org>

Sun, 20 Mar 2022 06:52:51 +0000 (06:52 +0000)

committer Dominik Stadler <centic@apache.org>

Sun, 20 Mar 2022 06:52:51 +0000 (06:52 +0000)
author Dominik Stadler <centic@apache.org>
Sun, 20 Mar 2022 06:52:51 +0000 (06:52 +0000)
committer Dominik Stadler <centic@apache.org>
Sun, 20 Mar 2022 06:52:51 +0000 (06:52 +0000)
diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShape.java b/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShape.java

index 1c6f6c394548c23e4b8dc573cc8d727725cc9810..3b69f66a0fee4964d1e8c441410f63b2fd8fb789 100644 (file)
--- a/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShape.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShape.java
@@ -50,6 +50,7 @@ import org.apache.poi.sl.usermodel.PresetColor;
  import org.apache.poi.sl.usermodel.Shape;
  import org.apache.poi.sl.usermodel.ShapeContainer;
  import org.apache.poi.sl.usermodel.ShapeType;
+import org.apache.poi.util.RecordFormatException;
  import org.apache.poi.util.Removal;
  import org.apache.poi.util.StringUtil;
  import org.apache.poi.util.Units;
@@ -167,6 +168,9 @@ public abstract class HSLFShape implements Shape<HSLFShape,HSLFTextParagraph> {
                  LOG.atWarn().log("EscherSpRecord.FLAG_CHILD is set but EscherChildAnchorRecord was not found");
              }
              EscherClientAnchorRecord clientRec = getEscherChild(EscherClientAnchorRecord.RECORD_ID);
+            if (clientRec == null) {
+                throw new RecordFormatException("Could not read record 'CLIENT_ANCHOR' with record-id: " + EscherClientAnchorRecord.RECORD_ID);
+            }
              x1 = clientRec.getCol1();
              y1 = clientRec.getFlag();
              x2 = clientRec.getDx1();
diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShapeFactory.java b/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShapeFactory.java

index b13789f8431a2165fce658b6674f9600c07602b0..41692b77fecaa8d769cd69db684cf1b2255b32cd 100644 (file)
--- a/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShapeFactory.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShapeFactory.java
@@ -42,6 +42,7 @@ import org.apache.poi.hslf.record.Record;
  import org.apache.poi.hslf.record.RecordTypes;
  import org.apache.poi.sl.usermodel.ShapeContainer;
  import org.apache.poi.sl.usermodel.ShapeType;
+import org.apache.poi.util.RecordFormatException;
  
  /**
   * Create a <code>Shape</code> object depending on its type
@@ -90,9 +91,12 @@ public final class HSLFShapeFactory {
       }
  
      public static HSLFShape createSimpleShape(EscherContainerRecord spContainer, ShapeContainer<HSLFShape,HSLFTextParagraph> parent){
-        HSLFShape shape = null;
          EscherSpRecord spRecord = spContainer.getChildById(EscherSpRecord.RECORD_ID);
+        if (spRecord == null) {
+            throw new RecordFormatException("Could not read EscherSpRecord as child of " + spContainer.getRecordName());
+        }
  
+        final HSLFShape shape;
          ShapeType type = ShapeType.forId(spRecord.getShapeType(), false);
          switch (type){
              case TEXT_BOX:
@@ -167,5 +171,4 @@ public final class HSLFShapeFactory {
          }
          return null;
      }
-
  }
diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowEncrypted.java b/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowEncrypted.java

index 273f9e87ed660441c50bd2ff650ebb589891335b..1dfeda874f1536eb4c3979fc86b40fd2ae0c6b84 100644 (file)
--- a/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowEncrypted.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowEncrypted.java
@@ -47,6 +47,7 @@ import org.apache.poi.util.Internal;
  import org.apache.poi.util.LittleEndian;
  import org.apache.poi.util.LittleEndianByteArrayInputStream;
  import org.apache.poi.util.LittleEndianByteArrayOutputStream;
+import org.apache.poi.util.RecordFormatException;
  
  /**
   * This class provides helper functions for encrypted PowerPoint documents.
@@ -100,7 +101,9 @@ public class HSLFSlideShowEncrypted implements Closeable {
          }
  
          org.apache.poi.hslf.record.Record r = recordMap.get(userEditAtomWithEncryption.getPersistPointersOffset());
-        assert(r instanceof PersistPtrHolder);
+        if (!(r instanceof PersistPtrHolder)) {
+            throw new RecordFormatException("Encountered an unexpected record-type: " + r);
+        }
          PersistPtrHolder ptr = (PersistPtrHolder)r;
  
          Integer encOffset = ptr.getSlideLocationsLookup().get(userEditAtomWithEncryption.getEncryptSessionPersistIdRef());
author	Dominik Stadler <centic@apache.org>
	Sun, 20 Mar 2022 06:52:51 +0000 (06:52 +0000)
committer	Dominik Stadler <centic@apache.org>
	Sun, 20 Mar 2022 06:52:51 +0000 (06:52 +0000)
poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShape.java		patch \| blob \| history
poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShapeFactory.java		patch \| blob \| history
poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowEncrypted.java		patch \| blob \| history