From: Dominik Stadler <centic@apache.org>
Date: Mon, 11 Apr 2022 13:51:31 +0000 (+0000)
Subject: Prevent an overly large allocation when using HPSF
X-Git-Tag: REL_5_2_3~358
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=f8e27ee19b961f5927d4fec4730d93d1466168e1;p=poi.git

Prevent an overly large allocation when using HPSF

Add a sample document from fuzzing which contains invalid/oversized values

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1899749 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/poi/src/main/java/org/apache/poi/hpsf/Array.java b/poi/src/main/java/org/apache/poi/hpsf/Array.java
index 94af1369f8..eeaf58683f 100644
--- a/poi/src/main/java/org/apache/poi/hpsf/Array.java
+++ b/poi/src/main/java/org/apache/poi/hpsf/Array.java
@@ -16,12 +16,15 @@
 ==================================================================== */
 package org.apache.poi.hpsf;
 
+import org.apache.poi.util.IOUtils;
 import org.apache.poi.util.Internal;
 import org.apache.poi.util.LittleEndianByteArrayInputStream;
 
 @Internal
-public class Array
-{
+public class Array {
+
+    private static final int MAX_NUMBER_OF_ARRAY_SCALARS = 100_000;
+
     static class ArrayDimension {
         private long _size;
         @SuppressWarnings("unused")
@@ -33,8 +36,7 @@ public class Array
         }
     }
 
-    static class ArrayHeader
-    {
+    static class ArrayHeader {
         private ArrayDimension[] _dimensions;
         private int _type;
 
@@ -47,7 +49,7 @@ public class Array
                 String msg = "Array dimension number "+numDimensionsUnsigned+" is not in [1; 31] range";
                 throw new IllegalPropertySetDataException(msg);
             }
-                
+
             int numDimensions = (int) numDimensionsUnsigned;
 
             _dimensions = new ArrayDimension[numDimensions];
@@ -86,6 +88,8 @@ public class Array
         }
         int numberOfScalars = (int) numberOfScalarsLong;
 
+        IOUtils.safelyAllocateCheck(numberOfScalars, MAX_NUMBER_OF_ARRAY_SCALARS);
+
         _values = new TypedPropertyValue[numberOfScalars];
         int paddedType = (_header._type == Variant.VT_VARIANT) ? 0 : _header._type;
         for ( int i = 0; i < numberOfScalars; i++ ) {
diff --git a/poi/src/test/java/org/apache/poi/hssf/dev/TestBiffViewer.java b/poi/src/test/java/org/apache/poi/hssf/dev/TestBiffViewer.java
index 1059213502..5013e45258 100644
--- a/poi/src/test/java/org/apache/poi/hssf/dev/TestBiffViewer.java
+++ b/poi/src/test/java/org/apache/poi/hssf/dev/TestBiffViewer.java
@@ -40,6 +40,8 @@ class TestBiffViewer extends BaseTestIteratingXLS {
         excludes.put("XRefCalc.xls", RuntimeException.class);
 
         excludes.put("61300.xls", IndexOutOfBoundsException.class);
+        excludes.put("poi-fuzz.xls", RecordFormatException.class);
+
         return excludes;
     }
 
diff --git a/test-data/spreadsheet/poi-fuzz.xls b/test-data/spreadsheet/poi-fuzz.xls
new file mode 100644
index 0000000000..9acb7005e0
Binary files /dev/null and b/test-data/spreadsheet/poi-fuzz.xls differ
diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls
index d8237a26ff..ecfae46d48 100644
Binary files a/test-data/spreadsheet/stress.xls and b/test-data/spreadsheet/stress.xls differ