From: Dominik Stadler Date: Mon, 11 Apr 2022 13:51:31 +0000 (+0000) Subject: Prevent an overly large allocation when using HPSF X-Git-Tag: REL_5_2_3~358 X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=f8e27ee19b961f5927d4fec4730d93d1466168e1;p=poi.git Prevent an overly large allocation when using HPSF Add a sample document from fuzzing which contains invalid/oversized values git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1899749 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/poi/src/main/java/org/apache/poi/hpsf/Array.java b/poi/src/main/java/org/apache/poi/hpsf/Array.java index 94af1369f8..eeaf58683f 100644 --- a/poi/src/main/java/org/apache/poi/hpsf/Array.java +++ b/poi/src/main/java/org/apache/poi/hpsf/Array.java @@ -16,12 +16,15 @@ ==================================================================== */ package org.apache.poi.hpsf; +import org.apache.poi.util.IOUtils; import org.apache.poi.util.Internal; import org.apache.poi.util.LittleEndianByteArrayInputStream; @Internal -public class Array -{ +public class Array { + + private static final int MAX_NUMBER_OF_ARRAY_SCALARS = 100_000; + static class ArrayDimension { private long _size; @SuppressWarnings("unused") @@ -33,8 +36,7 @@ public class Array } } - static class ArrayHeader - { + static class ArrayHeader { private ArrayDimension[] _dimensions; private int _type; @@ -47,7 +49,7 @@ public class Array String msg = "Array dimension number "+numDimensionsUnsigned+" is not in [1; 31] range"; throw new IllegalPropertySetDataException(msg); } - + int numDimensions = (int) numDimensionsUnsigned; _dimensions = new ArrayDimension[numDimensions]; @@ -86,6 +88,8 @@ public class Array } int numberOfScalars = (int) numberOfScalarsLong; + IOUtils.safelyAllocateCheck(numberOfScalars, MAX_NUMBER_OF_ARRAY_SCALARS); + _values = new TypedPropertyValue[numberOfScalars]; int paddedType = (_header._type == Variant.VT_VARIANT) ? 0 : _header._type; for ( int i = 0; i < numberOfScalars; i++ ) { diff --git a/poi/src/test/java/org/apache/poi/hssf/dev/TestBiffViewer.java b/poi/src/test/java/org/apache/poi/hssf/dev/TestBiffViewer.java index 1059213502..5013e45258 100644 --- a/poi/src/test/java/org/apache/poi/hssf/dev/TestBiffViewer.java +++ b/poi/src/test/java/org/apache/poi/hssf/dev/TestBiffViewer.java @@ -40,6 +40,8 @@ class TestBiffViewer extends BaseTestIteratingXLS { excludes.put("XRefCalc.xls", RuntimeException.class); excludes.put("61300.xls", IndexOutOfBoundsException.class); + excludes.put("poi-fuzz.xls", RecordFormatException.class); + return excludes; } diff --git a/test-data/spreadsheet/poi-fuzz.xls b/test-data/spreadsheet/poi-fuzz.xls new file mode 100644 index 0000000000..9acb7005e0 Binary files /dev/null and b/test-data/spreadsheet/poi-fuzz.xls differ diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls index d8237a26ff..ecfae46d48 100644 Binary files a/test-data/spreadsheet/stress.xls and b/test-data/spreadsheet/stress.xls differ