Prevent an overly large allocation when using HPSF

author Dominik Stadler <centic@apache.org>

Mon, 11 Apr 2022 13:51:31 +0000 (13:51 +0000)

committer Dominik Stadler <centic@apache.org>

Mon, 11 Apr 2022 13:51:31 +0000 (13:51 +0000)
author Dominik Stadler <centic@apache.org>
Mon, 11 Apr 2022 13:51:31 +0000 (13:51 +0000)
committer Dominik Stadler <centic@apache.org>
Mon, 11 Apr 2022 13:51:31 +0000 (13:51 +0000)
diff --git a/poi/src/main/java/org/apache/poi/hpsf/Array.java b/poi/src/main/java/org/apache/poi/hpsf/Array.java

index 94af1369f8e1a063c7068ac5917d1fdcfcad603c..eeaf58683f6e423826866d71c4740354c18cfa90 100644 (file)
--- a/poi/src/main/java/org/apache/poi/hpsf/Array.java
+++ b/poi/src/main/java/org/apache/poi/hpsf/Array.java
@@ -16,12 +16,15 @@
  ==================================================================== */
  package org.apache.poi.hpsf;
  
+import org.apache.poi.util.IOUtils;
  import org.apache.poi.util.Internal;
  import org.apache.poi.util.LittleEndianByteArrayInputStream;
  
  @Internal
-public class Array
-{
+public class Array {
+
+    private static final int MAX_NUMBER_OF_ARRAY_SCALARS = 100_000;
+
      static class ArrayDimension {
          private long _size;
          @SuppressWarnings("unused")
@@ -33,8 +36,7 @@ public class Array
          }
      }
  
-    static class ArrayHeader
-    {
+    static class ArrayHeader {
          private ArrayDimension[] _dimensions;
          private int _type;
  
@@ -47,7 +49,7 @@ public class Array
                  String msg = "Array dimension number "+numDimensionsUnsigned+" is not in [1; 31] range";
                  throw new IllegalPropertySetDataException(msg);
              }
-                
+
              int numDimensions = (int) numDimensionsUnsigned;
  
              _dimensions = new ArrayDimension[numDimensions];
@@ -86,6 +88,8 @@ public class Array
          }
          int numberOfScalars = (int) numberOfScalarsLong;
  
+        IOUtils.safelyAllocateCheck(numberOfScalars, MAX_NUMBER_OF_ARRAY_SCALARS);
+
          _values = new TypedPropertyValue[numberOfScalars];
          int paddedType = (_header._type == Variant.VT_VARIANT) ? 0 : _header._type;
          for ( int i = 0; i < numberOfScalars; i++ ) {
diff --git a/poi/src/test/java/org/apache/poi/hssf/dev/TestBiffViewer.java b/poi/src/test/java/org/apache/poi/hssf/dev/TestBiffViewer.java

index 1059213502c72bea507f8f5c99a4ff7eb4a57d1e..5013e4525870f722cfc1c9444a17f3903c85ac19 100644 (file)
--- a/poi/src/test/java/org/apache/poi/hssf/dev/TestBiffViewer.java
+++ b/poi/src/test/java/org/apache/poi/hssf/dev/TestBiffViewer.java
@@ -40,6 +40,8 @@ class TestBiffViewer extends BaseTestIteratingXLS {
          excludes.put("XRefCalc.xls", RuntimeException.class);
  
          excludes.put("61300.xls", IndexOutOfBoundsException.class);
+        excludes.put("poi-fuzz.xls", RecordFormatException.class);
+
          return excludes;
      }
  
diff --git a/test-data/spreadsheet/poi-fuzz.xls b/test-data/spreadsheet/poi-fuzz.xls

new file mode 100644 (file)

index 0000000..9acb700

Binary files /dev/null and b/test-data/spreadsheet/poi-fuzz.xls differ
diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls

index d8237a26ff2dac5ff5d76c4f4dc4d7bdf5c65bcf..ecfae46d48327d4a9ae75c48bfde0706c51a7cf9 100644 (file)

Binary files a/test-data/spreadsheet/stress.xls and b/test-data/spreadsheet/stress.xls differ
author	Dominik Stadler <centic@apache.org>
	Mon, 11 Apr 2022 13:51:31 +0000 (13:51 +0000)
committer	Dominik Stadler <centic@apache.org>
	Mon, 11 Apr 2022 13:51:31 +0000 (13:51 +0000)
poi/src/main/java/org/apache/poi/hpsf/Array.java		patch \| blob \| history
poi/src/test/java/org/apache/poi/hssf/dev/TestBiffViewer.java		patch \| blob \| history
test-data/spreadsheet/poi-fuzz.xls	[new file with mode: 0644]	patch \| blob
test-data/spreadsheet/stress.xls		patch \| blob \| history