From: Tim Allison Date: Fri, 14 Jul 2017 20:47:40 +0000 (+0000) Subject: bug 61300 -- prevent really long (infinite?) loop on corrupt file X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=408e23655367013f41a06243cc6dacd566b01eec;p=poi.git bug 61300 -- prevent really long (infinite?) loop on corrupt file git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1801989 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/src/integrationtest/org/apache/poi/TestAllFiles.java b/src/integrationtest/org/apache/poi/TestAllFiles.java index 9a9ba8864f..b84257d13e 100644 --- a/src/integrationtest/org/apache/poi/TestAllFiles.java +++ b/src/integrationtest/org/apache/poi/TestAllFiles.java @@ -331,7 +331,8 @@ public class TestAllFiles { // need JDK8+ - https://bugs.openjdk.java.net/browse/JDK-8038081 "slideshow/42474-2.ppt", // OPC handler works / XSSF handler fails - "spreadsheet/57181.xlsm" + "spreadsheet/57181.xlsm", + "spreadsheet/61300.xls"//intentionally fuzzed -- used to cause infinite loop ); @Parameters(name="{index}: {0} using {1}") diff --git a/src/integrationtest/org/apache/poi/stress/HSSFFileHandler.java b/src/integrationtest/org/apache/poi/stress/HSSFFileHandler.java index c2928e72c0..0f6f65d0b7 100644 --- a/src/integrationtest/org/apache/poi/stress/HSSFFileHandler.java +++ b/src/integrationtest/org/apache/poi/stress/HSSFFileHandler.java @@ -16,6 +16,17 @@ ==================================================================== */ package org.apache.poi.stress; +import static org.junit.Assert.assertFalse; + +import java.io.File; +import java.io.FileInputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.io.PrintStream; +import java.util.HashSet; +import java.util.Set; + import org.apache.poi.EncryptedDocumentException; import org.apache.poi.hssf.OldExcelFormatException; import org.apache.poi.hssf.dev.BiffViewer; @@ -23,12 +34,6 @@ import org.apache.poi.hssf.usermodel.HSSFWorkbook; import org.apache.poi.util.RecordFormatException; import org.junit.Test; -import java.io.*; -import java.util.HashSet; -import java.util.Set; - -import static org.junit.Assert.assertFalse; - public class HSSFFileHandler extends SpreadsheetHandler { private final POIFSFileHandler delegate = new POIFSFileHandler(); @Override @@ -61,6 +66,7 @@ public class HSSFFileHandler extends SpreadsheetHandler { EXPECTED_ADDITIONAL_FAILURES.add("spreadsheet/50833.xls"); EXPECTED_ADDITIONAL_FAILURES.add("spreadsheet/51832.xls"); EXPECTED_ADDITIONAL_FAILURES.add("spreadsheet/XRefCalc.xls"); + EXPECTED_ADDITIONAL_FAILURES.add("spreadsheet/61300.xls"); } @Override diff --git a/src/java/org/apache/poi/poifs/filesystem/NDocumentInputStream.java b/src/java/org/apache/poi/poifs/filesystem/NDocumentInputStream.java index 5c9d35da23..848fd9f006 100644 --- a/src/java/org/apache/poi/poifs/filesystem/NDocumentInputStream.java +++ b/src/java/org/apache/poi/poifs/filesystem/NDocumentInputStream.java @@ -70,6 +70,9 @@ public final class NDocumentInputStream extends DocumentInputStream { _document_size = document.getSize(); _closed = false; + if (_document_size < 0) { + //throw new RecordFormatException("Document size can't be < 0"); + } DocumentNode doc = (DocumentNode)document; DocumentProperty property = (DocumentProperty)doc.getProperty(); _document = new NPOIFSDocument( @@ -248,6 +251,10 @@ public final class NDocumentInputStream extends DocumentInputStream { @Override public void readFully(byte[] buf, int off, int len) { + if (len < 0) { + throw new RuntimeException("Can't read negative number of bytes"); + } + checkAvaliable(len); int read = 0; diff --git a/src/java/org/apache/poi/poifs/filesystem/ODocumentInputStream.java b/src/java/org/apache/poi/poifs/filesystem/ODocumentInputStream.java index 9b6ce33f46..cc280390ef 100644 --- a/src/java/org/apache/poi/poifs/filesystem/ODocumentInputStream.java +++ b/src/java/org/apache/poi/poifs/filesystem/ODocumentInputStream.java @@ -20,6 +20,7 @@ package org.apache.poi.poifs.filesystem; import java.io.IOException; import org.apache.poi.poifs.storage.DataInputBlock; +import org.apache.poi.util.RecordFormatException; /** * This class provides methods to read a DocumentEntry managed by a @@ -64,6 +65,9 @@ public final class ODocumentInputStream extends DocumentInputStream { _current_offset = 0; _marked_offset = 0; _document_size = document.getSize(); + if (_document_size < 0) { + throw new RecordFormatException("document_size cannot be < 0"); + } _closed = false; _document = documentNode.getDocument(); _currentBlock = getDataInputBlock(0); diff --git a/src/java/org/apache/poi/util/BoundedInputStream.java b/src/java/org/apache/poi/util/BoundedInputStream.java index 1cdeb39f33..1ef84d9ff0 100644 --- a/src/java/org/apache/poi/util/BoundedInputStream.java +++ b/src/java/org/apache/poi/util/BoundedInputStream.java @@ -19,8 +19,6 @@ package org.apache.poi.util; import java.io.IOException; import java.io.InputStream; -import org.apache.poi.util.SuppressForbidden; - /** * This is a stream that will only supply bytes up to a certain length - if its * position goes above that, it will stop. diff --git a/src/java/org/apache/poi/util/IOUtils.java b/src/java/org/apache/poi/util/IOUtils.java index 296d92cf08..25e5652d93 100644 --- a/src/java/org/apache/poi/util/IOUtils.java +++ b/src/java/org/apache/poi/util/IOUtils.java @@ -310,6 +310,9 @@ public final class IOUtils { byte[] buff = new byte[4096]; int count; while ((count = inp.read(buff)) != -1) { + if (count < -1) { + throw new RecordFormatException("Can't have read < -1 bytes"); + } if (count > 0) { out.write(buff, 0, count); } diff --git a/src/testcases/org/apache/poi/hssf/dev/TestBiffDrawingToXml.java b/src/testcases/org/apache/poi/hssf/dev/TestBiffDrawingToXml.java index ffcb676d5c..c739364c42 100644 --- a/src/testcases/org/apache/poi/hssf/dev/TestBiffDrawingToXml.java +++ b/src/testcases/org/apache/poi/hssf/dev/TestBiffDrawingToXml.java @@ -24,6 +24,7 @@ import java.io.PrintStream; import org.apache.poi.EncryptedDocumentException; import org.apache.poi.hssf.OldExcelFormatException; import org.apache.poi.hssf.record.RecordInputStream; +import org.apache.poi.util.RecordFormatException; import org.junit.BeforeClass; public class TestBiffDrawingToXml extends BaseXLSIteratingTest { @@ -45,6 +46,7 @@ public class TestBiffDrawingToXml extends BaseXLSIteratingTest { EXCLUDED.put("60284.xls", OldExcelFormatException.class); // Biff 5 / Excel 95 EXCLUDED.put("43493.xls", RecordInputStream.LeftoverDataException.class); // HSSFWorkbook cannot open it as well EXCLUDED.put("44958_1.xls", RecordInputStream.LeftoverDataException.class); + EXCLUDED.put("61300.xls", RecordFormatException.class); } @Override diff --git a/src/testcases/org/apache/poi/hssf/dev/TestBiffViewer.java b/src/testcases/org/apache/poi/hssf/dev/TestBiffViewer.java index 5a36de4940..414ae7f2fe 100644 --- a/src/testcases/org/apache/poi/hssf/dev/TestBiffViewer.java +++ b/src/testcases/org/apache/poi/hssf/dev/TestBiffViewer.java @@ -28,6 +28,7 @@ import org.apache.poi.hssf.OldExcelFormatException; import org.apache.poi.hssf.record.RecordInputStream; import org.apache.poi.poifs.filesystem.NPOIFSFileSystem; import org.apache.poi.util.LocaleUtil; +import org.apache.poi.util.RecordFormatException; import org.junit.BeforeClass; import org.junit.Ignore; import org.junit.Test; @@ -53,6 +54,7 @@ public class TestBiffViewer extends BaseXLSIteratingTest { // EXCLUDED.put("44958_1.xls", RecordInputStream.LeftoverDataException.class); EXCLUDED.put("50833.xls", IllegalArgumentException.class); // "Name is too long" when setting username EXCLUDED.put("XRefCalc.xls", RuntimeException.class); // "Buffer overrun" + EXCLUDED.put("61300.xls", RecordFormatException.class); } @Override diff --git a/src/testcases/org/apache/poi/hssf/dev/TestEFBiffViewer.java b/src/testcases/org/apache/poi/hssf/dev/TestEFBiffViewer.java index e07b9ff8e9..0ba83ae55f 100644 --- a/src/testcases/org/apache/poi/hssf/dev/TestEFBiffViewer.java +++ b/src/testcases/org/apache/poi/hssf/dev/TestEFBiffViewer.java @@ -24,6 +24,7 @@ import org.apache.poi.EncryptedDocumentException; import org.apache.poi.hssf.OldExcelFormatException; import org.apache.poi.hssf.record.RecordInputStream; import org.apache.poi.util.LocaleUtil; +import org.apache.poi.util.RecordFormatException; import org.junit.BeforeClass; public class TestEFBiffViewer extends BaseXLSIteratingTest { @@ -46,6 +47,7 @@ public class TestEFBiffViewer extends BaseXLSIteratingTest { EXCLUDED.put("43493.xls", RecordInputStream.LeftoverDataException.class); // HSSFWorkbook cannot open it as well EXCLUDED.put("44958_1.xls", RecordInputStream.LeftoverDataException.class); EXCLUDED.put("XRefCalc.xls", RuntimeException.class); // "Buffer overrun" + EXCLUDED.put("61300.xls", RecordFormatException.class); } @Override diff --git a/src/testcases/org/apache/poi/hssf/dev/TestFormulaViewer.java b/src/testcases/org/apache/poi/hssf/dev/TestFormulaViewer.java index 3e575f22ba..a272fc9314 100644 --- a/src/testcases/org/apache/poi/hssf/dev/TestFormulaViewer.java +++ b/src/testcases/org/apache/poi/hssf/dev/TestFormulaViewer.java @@ -25,6 +25,7 @@ import org.apache.poi.EncryptedDocumentException; import org.apache.poi.hssf.OldExcelFormatException; import org.apache.poi.hssf.record.RecordInputStream; import org.apache.poi.util.LocaleUtil; +import org.apache.poi.util.RecordFormatException; import org.junit.BeforeClass; public class TestFormulaViewer extends BaseXLSIteratingTest { @@ -46,6 +47,7 @@ public class TestFormulaViewer extends BaseXLSIteratingTest { EXCLUDED.put("60284.xls", OldExcelFormatException.class); // Biff 5 / Excel 95 EXCLUDED.put("43493.xls", RecordInputStream.LeftoverDataException.class); // HSSFWorkbook cannot open it as well EXCLUDED.put("44958_1.xls", RecordInputStream.LeftoverDataException.class); + EXCLUDED.put("61300.xls", RecordFormatException.class); } @Override diff --git a/src/testcases/org/apache/poi/hssf/dev/TestReSave.java b/src/testcases/org/apache/poi/hssf/dev/TestReSave.java index b1ae03aa9a..09d560de7e 100644 --- a/src/testcases/org/apache/poi/hssf/dev/TestReSave.java +++ b/src/testcases/org/apache/poi/hssf/dev/TestReSave.java @@ -16,20 +16,21 @@ ==================================================================== */ package org.apache.poi.hssf.dev; +import static org.junit.Assert.assertTrue; + +import java.io.File; +import java.io.PrintStream; + import org.apache.poi.EncryptedDocumentException; import org.apache.poi.POIDataSamples; import org.apache.poi.hssf.OldExcelFormatException; import org.apache.poi.hssf.record.RecordInputStream; import org.apache.poi.util.LocaleUtil; +import org.apache.poi.util.RecordFormatException; import org.junit.BeforeClass; import org.junit.Ignore; import org.junit.Test; -import java.io.File; -import java.io.PrintStream; - -import static org.junit.Assert.assertTrue; - public class TestReSave extends BaseXLSIteratingTest { @BeforeClass public static void setup() { @@ -50,6 +51,7 @@ public class TestReSave extends BaseXLSIteratingTest { EXCLUDED.put("43493.xls", RecordInputStream.LeftoverDataException.class); // HSSFWorkbook cannot open it as well EXCLUDED.put("44958_1.xls", RecordInputStream.LeftoverDataException.class); EXCLUDED.put("XRefCalc.xls", RuntimeException.class); // "Buffer overrun" + EXCLUDED.put("61300.xls", RecordFormatException.class); } @Override diff --git a/src/testcases/org/apache/poi/hssf/dev/TestRecordLister.java b/src/testcases/org/apache/poi/hssf/dev/TestRecordLister.java index a74846d463..cf0907ea6e 100644 --- a/src/testcases/org/apache/poi/hssf/dev/TestRecordLister.java +++ b/src/testcases/org/apache/poi/hssf/dev/TestRecordLister.java @@ -22,6 +22,7 @@ import java.io.PrintStream; import org.apache.poi.hssf.OldExcelFormatException; import org.apache.poi.util.LocaleUtil; +import org.apache.poi.util.RecordFormatException; import org.junit.BeforeClass; public class TestRecordLister extends BaseXLSIteratingTest { @@ -37,6 +38,7 @@ public class TestRecordLister extends BaseXLSIteratingTest { EXCLUDED.put("60284.xls", OldExcelFormatException.class); // Biff 5 / Excel 5 EXCLUDED.put("testEXCEL_95.xls", OldExcelFormatException.class); // Biff 5 / Excel 95 EXCLUDED.put("60284.xls", OldExcelFormatException.class); // Biff 5 / Excel 95 + EXCLUDED.put("61300.xls", RecordFormatException.class); } diff --git a/src/testcases/org/apache/poi/hssf/usermodel/TestBugs.java b/src/testcases/org/apache/poi/hssf/usermodel/TestBugs.java index adc07bd952..f249fadf40 100644 --- a/src/testcases/org/apache/poi/hssf/usermodel/TestBugs.java +++ b/src/testcases/org/apache/poi/hssf/usermodel/TestBugs.java @@ -45,6 +45,8 @@ import java.util.Locale; import java.util.TimeZone; import org.apache.poi.EncryptedDocumentException; +import org.apache.poi.hpsf.PropertySet; +import org.apache.poi.hpsf.SummaryInformation; import org.apache.poi.hssf.HSSFITestDataProvider; import org.apache.poi.hssf.HSSFTestDataSamples; import org.apache.poi.hssf.OldExcelFormatException; @@ -63,6 +65,8 @@ import org.apache.poi.hssf.record.aggregates.PageSettingsBlock; import org.apache.poi.hssf.record.aggregates.RecordAggregate; import org.apache.poi.hssf.record.common.UnicodeString; import org.apache.poi.hssf.record.crypto.Biff8EncryptionKey; +import org.apache.poi.poifs.filesystem.DocumentEntry; +import org.apache.poi.poifs.filesystem.DocumentInputStream; import org.apache.poi.poifs.filesystem.NPOIFSFileSystem; import org.apache.poi.poifs.filesystem.OPOIFSFileSystem; import org.apache.poi.poifs.filesystem.POIFSFileSystem; @@ -3139,4 +3143,15 @@ public final class TestBugs extends BaseTestBugzillaIssues { wb.close(); } + @Test(expected = RuntimeException.class) + public void test61300() throws Exception { + NPOIFSFileSystem npoifs = new NPOIFSFileSystem(HSSFTestDataSamples.openSampleFileStream("61300.xls")); + + DocumentEntry entry = + (DocumentEntry) npoifs.getRoot().getEntry(SummaryInformation.DEFAULT_STREAM_NAME); + PropertySet properties = + new PropertySet(new DocumentInputStream(entry)); + + } + } diff --git a/test-data/spreadsheet/61300.xls b/test-data/spreadsheet/61300.xls new file mode 100644 index 0000000000..0b54c8cff2 Binary files /dev/null and b/test-data/spreadsheet/61300.xls differ