From: Dominik Stadler Date: Mon, 7 Aug 2023 20:35:59 +0000 (+0000) Subject: Bug 66425: Add memory-safeguard in one more place X-Git-Tag: REL_5_2_4~78 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=1b7613329e6258a85d548998f5dd36e58046a5b4;p=poi.git Bug 66425: Add memory-safeguard in one more place We try to generally avoid overly large allocations in places where arrays are allocated. We add one more such check for pictures in HSLF. We might need to increase the used value of 10MB if users report larger files being used frequently. Overriding this check via IOUtils is possible. git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1911525 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowImpl.java b/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowImpl.java index 70fb287026..170f42bfcb 100644 --- a/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowImpl.java +++ b/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowImpl.java @@ -94,6 +94,7 @@ public final class HSLFSlideShowImpl extends POIDocument implements Closeable { private static final int DEFAULT_MAX_RECORD_LENGTH = 200_000_000; private static final int MAX_DOCUMENT_SIZE = 100_000_000; private static int MAX_RECORD_LENGTH = DEFAULT_MAX_RECORD_LENGTH; + private static final int MAX_IMAGE_LENGTH = 10_000_000; // Holds metadata on where things are in our document private CurrentUserAtom currentUser; @@ -407,7 +408,7 @@ public final class HSLFSlideShowImpl extends POIDocument implements Closeable { EscherContainerRecord blipStore = getBlipStore(); byte[] pictstream; try (DocumentInputStream is = getDirectory().createDocumentInputStream(entry)) { - pictstream = IOUtils.toByteArray(is, entry.getSize()); + pictstream = IOUtils.toByteArray(is, entry.getSize(), MAX_IMAGE_LENGTH); } List factories = new ArrayList<>(); diff --git a/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestPPTXMLDump.java b/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestPPTXMLDump.java index c0572750b6..7b85af8ad9 100644 --- a/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestPPTXMLDump.java +++ b/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestPPTXMLDump.java @@ -16,17 +16,23 @@ ==================================================================== */ package org.apache.poi.hslf.dev; -import static org.junit.jupiter.api.Assertions.assertThrows; +import org.apache.poi.EmptyFileException; +import org.apache.poi.hslf.HSLFTestDataSamples; +import org.junit.jupiter.api.Test; import java.io.File; import java.util.Collections; +import java.util.HashSet; import java.util.Set; -import org.apache.poi.EmptyFileException; -import org.apache.poi.hslf.HSLFTestDataSamples; -import org.junit.jupiter.api.Test; +import static org.junit.jupiter.api.Assertions.assertThrows; public class TestPPTXMLDump extends BaseTestPPTIterating { + static final Set LOCAL_EXCLUDED = new HashSet<>(); + static { + LOCAL_EXCLUDED.add("clusterfuzz-testcase-minimized-POIHSLFFuzzer-5306877435838464.ppt"); + } + @Test void testMain() throws Exception { PPTXMLDump.main(new String[0]); @@ -41,7 +47,13 @@ public class TestPPTXMLDump extends BaseTestPPTIterating { @Override void runOneFile(File pFile) throws Exception { - PPTXMLDump.main(new String[]{pFile.getAbsolutePath()}); + try { + PPTXMLDump.main(new String[]{pFile.getAbsolutePath()}); + } catch (IndexOutOfBoundsException e) { + if (!LOCAL_EXCLUDED.contains(pFile.getName())) { + throw e; + } + } } @Override diff --git a/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideIdListing.java b/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideIdListing.java index b75bec5178..f3afc851fb 100644 --- a/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideIdListing.java +++ b/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideIdListing.java @@ -20,12 +20,19 @@ import static org.junit.jupiter.api.Assertions.assertThrows; import java.io.File; import java.io.IOException; +import java.util.HashSet; +import java.util.Set; import org.apache.poi.EmptyFileException; import org.apache.poi.hslf.HSLFTestDataSamples; import org.junit.jupiter.api.Test; public class TestSlideIdListing extends BaseTestPPTIterating { + static final Set LOCAL_EXCLUDED = new HashSet<>(); + static { + LOCAL_EXCLUDED.add("clusterfuzz-testcase-minimized-POIHSLFFuzzer-5306877435838464.ppt"); + } + @Test void testMain() throws IOException { // calls System.exit(): SlideIdListing.main(new String[0]); @@ -37,6 +44,12 @@ public class TestSlideIdListing extends BaseTestPPTIterating { @Override void runOneFile(File pFile) throws Exception { - SlideIdListing.main(new String[]{pFile.getAbsolutePath()}); + try { + SlideIdListing.main(new String[]{pFile.getAbsolutePath()}); + } catch (IllegalArgumentException e) { + if (!LOCAL_EXCLUDED.contains(pFile.getName())) { + throw e; + } + } } } \ No newline at end of file diff --git a/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-5306877435838464.ppt b/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-5306877435838464.ppt new file mode 100644 index 0000000000..26c74a2cce Binary files /dev/null and b/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-5306877435838464.ppt differ diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls index a873b632cb..70847a482c 100644 Binary files a/test-data/spreadsheet/stress.xls and b/test-data/spreadsheet/stress.xls differ