Bug 66425: Avoid a ClassCastException found via oss-fuzz

We try to avoid throwing ClassCastException, but it was possible
to trigger one here with a specially crafted input-file

Should fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61243

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1911507 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/poi-integration/src/test/java/org/apache/poi/stress/HPSFFileHandler.java b/poi-integration/src/test/java/org/apache/poi/stress/HPSFFileHandler.java
index fff7daa8eceb0a1847d882682ad27b0e78f2810f..705bed2e53dd01aaecbebb17b0739748b8b6e5de 100644 (file)
--- a/poi-integration/src/test/java/org/apache/poi/stress/HPSFFileHandler.java
+++ b/poi-integration/src/test/java/org/apache/poi/stress/HPSFFileHandler.java
@@ -43,8 +43,6 @@ import org.apache.poi.util.TempFile;
 import org.junit.jupiter.api.Test;
 
 public class HPSFFileHandler extends POIFSFileHandler {
-    private static final String NL = System.getProperty("line.separator");
-
     private static final ThreadLocal<File> copyOutput = ThreadLocal.withInitial(HPSFFileHandler::getTempFile);
 
     static final Set<String> EXCLUDES_HANDLE_ADD = StressTestUtils.unmodifiableHashSet(
@@ -140,12 +138,10 @@ public class HPSFFileHandler extends POIFSFileHandler {
         try (InputStream stream = new FileInputStream(path)) {
             handleFile(stream, path);
         }
-    }
 
-    // a test-case to test this locally without executing the full TestAllFiles
-    @Test
-    void testExtractor() {
-        File file = new File("test-data/hpsf/TestBug44375.xls");
+        File file = new File(path);
         assertDoesNotThrow(() -> handleExtracting(file));
+
+        handleAdditional(file);
     }
 }

diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/HWPFDocumentCore.java b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/HWPFDocumentCore.java
index 5a69dbbb3fa3c59a3d165d4a8a8ac845c3280956..325abc6df88b6295a500baa59ec2205f26c8bb8d 100644 (file)
--- a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/HWPFDocumentCore.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/HWPFDocumentCore.java
@@ -47,6 +47,7 @@ import org.apache.poi.poifs.filesystem.DirectoryEntry;
 import org.apache.poi.poifs.filesystem.DirectoryNode;
 import org.apache.poi.poifs.filesystem.DocumentEntry;
 import org.apache.poi.poifs.filesystem.DocumentInputStream;
+import org.apache.poi.poifs.filesystem.Entry;
 import org.apache.poi.poifs.filesystem.FileMagic;
 import org.apache.poi.poifs.filesystem.POIFSFileSystem;
 import org.apache.poi.util.IOUtils;
@@ -337,7 +338,11 @@ public abstract class HWPFDocumentCore extends POIDocument {
      */
     protected byte[] getDocumentEntryBytes(String name, int encryptionOffset, final int len) throws IOException {
         DirectoryNode dir = getDirectory();
-        DocumentEntry documentProps = (DocumentEntry)dir.getEntry(name);
+        final Entry entry = dir.getEntry(name);
+        if (!(entry instanceof DocumentEntry)) {
+            throw new IllegalArgumentException("Had unexpected type of entry for name: " + name + ": " + entry);
+        }
+        DocumentEntry documentProps = (DocumentEntry) entry;
         int streamSize = documentProps.getSize();
         boolean isEncrypted = (encryptionOffset > -1 && getEncryptionInfo() != null);
 

diff --git a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java
index a809fa7d5e95eaa7f0c4a2a72807bff1a451bd0c..9f97d63309a3300e800f80f0da9803915f0032e0 100644 (file)
--- a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java
+++ b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java
@@ -23,6 +23,7 @@ import java.io.FilenameFilter;
 import java.io.StringWriter;
 import java.util.Arrays;
 import java.util.List;
+import java.util.Locale;
 import java.util.stream.Stream;
 
 import javax.xml.transform.OutputKeys;
@@ -52,16 +53,26 @@ public class TestWordToConverterSuite
         "password_password_cryptoapi.doc",
         // WORD 2.0 file
         "word2.doc",
-        // Corrupt file
-        "Fuzzed.doc"
+        // Excel file
+        "TestRobert_Flaherty.doc",
+        // Corrupt files
+        "Fuzzed.doc",
+        "clusterfuzz-testcase-minimized-POIHWPFFuzzer-5418937293340672.doc",
+        "TestHPSFWritingFunctionality.doc"
     );
 
     public static Stream<Arguments> files() {
-        File directory = POIDataSamples.getDocumentInstance().getFile("../document" );
-        FilenameFilter ff = (dir, name) -> name.endsWith(".doc") && !failingFiles.contains(name);
+        return Stream.concat(
+                Arrays.stream(getFiles(POIDataSamples.getDocumentInstance().getFile(""))),
+                Arrays.stream(getFiles(POIDataSamples.getHPSFInstance().getFile("")))
+        ).map(Arguments::of);
+    }
+
+    private static File[] getFiles(File directory) {
+        FilenameFilter ff = (dir, name) -> name.toLowerCase(Locale.ROOT).endsWith(".doc") && !failingFiles.contains(name);
         File[] docs = directory.listFiles(ff);
         assertNotNull(docs);
-        return Arrays.stream(docs).map(Arguments::of);
+        return docs;
     }
 
     @ParameterizedTest

diff --git a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java
index 64d89486d06dfa7634bcd0b38aeef734a027be99..0d084157c914d5b4b5ca9f74b5c6d8daefd56e97 100644 (file)
--- a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java
+++ b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java
@@ -25,9 +25,10 @@ import java.io.FileInputStream;
 import java.io.FilenameFilter;
 import java.io.InputStream;
 import java.util.Arrays;
+import java.util.List;
+import java.util.Locale;
 import java.util.stream.Stream;
 
-import org.apache.commons.io.filefilter.SuffixFileFilter;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.apache.poi.EncryptedDocumentException;
@@ -44,6 +45,14 @@ import org.junit.jupiter.params.provider.MethodSource;
 public class TestWordToTextConverter {
     private static final Logger LOG = LogManager.getLogger(WordToTextConverter.class);
 
+    private static final List<String> failingFiles = Arrays.asList(
+        // Excel file
+        "TestRobert_Flaherty.doc",
+        // Corrupt files
+        "clusterfuzz-testcase-minimized-POIHWPFFuzzer-5418937293340672.doc",
+        "TestHPSFWritingFunctionality.doc"
+    );
+
     /**
      * [FAILING] Bug 47731 - Word Extractor considers text copied from some
      * website as an embedded object
@@ -104,13 +113,16 @@ public class TestWordToTextConverter {
     }
 
     public static Stream<Arguments> files() {
-        String dataDirName = System.getProperty(POIDataSamples.TEST_PROPERTY,
-                new File("test-data").exists() ? "test-data" : "../test-data");
-
-        File[] documents = new File(dataDirName, "document").listFiles(
-                (FilenameFilter) new SuffixFileFilter(".doc"));
-        assertNotNull(documents);
+        return Stream.concat(
+            Arrays.stream(getFiles(POIDataSamples.getDocumentInstance().getFile(""))),
+            Arrays.stream(getFiles(POIDataSamples.getHPSFInstance().getFile("")))
+        ).map(Arguments::of);
+    }
 
-        return Arrays.stream(documents).map(Arguments::of);
+    private static File[] getFiles(File directory) {
+        FilenameFilter ff = (dir, name) -> name.toLowerCase(Locale.ROOT).endsWith(".doc") && !failingFiles.contains(name);
+        File[] docs = directory.listFiles(ff);
+        assertNotNull(docs);
+        return docs;
     }
 }

diff --git a/test-data/document/clusterfuzz-testcase-minimized-POIHWPFFuzzer-5418937293340672.doc b/test-data/document/clusterfuzz-testcase-minimized-POIHWPFFuzzer-5418937293340672.doc
new file mode 100644 (file)
index 0000000..191f096
Binary files /dev/null and b/test-data/document/clusterfuzz-testcase-minimized-POIHWPFFuzzer-5418937293340672.doc differ

diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls
index bfa0cd3f93e22a35db6f739bb84a32f04800f413..97591849fd3a702c78859172afb9d48ed1d6410a 100644 (file)
Binary files a/test-data/spreadsheet/stress.xls and b/test-data/spreadsheet/stress.xls differ