From 302b43641f6329dbf02c8816950dd4c554327288 Mon Sep 17 00:00:00 2001
From: PJ Fanning <fanningpj@apache.org>
Date: Tue, 9 Jul 2024 14:43:03 +0000
Subject: [PATCH] add negative test

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1919065 13f79535-47bb-0310-9956-ffa450edef68
---
 .../java/org/apache/poi/stress/TestAllFiles.java |   1 +
 .../poi/xwpf/usermodel/TestXWPFDocument.java     |  13 +++++++++++++
 test-data/document/unicode-path.docx             | Bin 0 -> 5720 bytes
 3 files changed, 14 insertions(+)
 create mode 100644 test-data/document/unicode-path.docx

diff --git a/poi-integration/src/test/java/org/apache/poi/stress/TestAllFiles.java b/poi-integration/src/test/java/org/apache/poi/stress/TestAllFiles.java
index fafbab4195..2f8ba9aafa 100644
--- a/poi-integration/src/test/java/org/apache/poi/stress/TestAllFiles.java
+++ b/poi-integration/src/test/java/org/apache/poi/stress/TestAllFiles.java
@@ -98,6 +98,7 @@ public class TestAllFiles {
         "poifs/protected_sha512.xlsx",
 
         // corrupt file
+        "document/unicode-path.docx",
         "spreadsheet/duplicate-filename.xlsx",
         "spreadsheet/duplicate-filename-case-insensitive.xlsx",
         "document/clusterfuzz-testcase-minimized-POIXWPFFuzzer-5166796835258368.docx",
diff --git a/poi-ooxml/src/test/java/org/apache/poi/xwpf/usermodel/TestXWPFDocument.java b/poi-ooxml/src/test/java/org/apache/poi/xwpf/usermodel/TestXWPFDocument.java
index 0546e7cd11..36c30a7428 100644
--- a/poi-ooxml/src/test/java/org/apache/poi/xwpf/usermodel/TestXWPFDocument.java
+++ b/poi-ooxml/src/test/java/org/apache/poi/xwpf/usermodel/TestXWPFDocument.java
@@ -35,6 +35,7 @@ import java.util.Optional;
 import org.apache.poi.POIDataSamples;
 import org.apache.poi.common.usermodel.PictureType;
 import org.apache.poi.ooxml.POIXMLDocumentPart;
+import org.apache.poi.ooxml.POIXMLException;
 import org.apache.poi.ooxml.POIXMLProperties;
 import org.apache.poi.ooxml.TrackingInputStream;
 import org.apache.poi.openxml4j.exceptions.InvalidFormatException;
@@ -504,6 +505,18 @@ public final class TestXWPFDocument {
         }
     }
 
+    @Test
+    void testUnicodePathDocWithCorruptZipEntry() {
+        // this is a file that we do not want to be able to parse, as it contains a corrupt zip entry
+        POIXMLException ex = assertThrows(POIXMLException.class, () -> {
+            try (XWPFDocument doc = new XWPFDocument(
+                    POIDataSamples.getDocumentInstance().openResourceAsStream("unicode-path.docx"))) {
+                // expect exception here
+            }
+        });
+        assertEquals("InvalidFormatException", ex.getCause().getClass().getSimpleName());
+    }
+
     @Test
     @Disabled("XWPF should be able to write to a new Stream when opened Read-Only")
     void testWriteFromReadOnlyOPC() throws Exception {
diff --git a/test-data/document/unicode-path.docx b/test-data/document/unicode-path.docx
new file mode 100644
index 0000000000000000000000000000000000000000..1855aa1e74083d039cbf79521019d87aedfa51c8
GIT binary patch
literal 5720
zcmbVQ2T)V%)(uicdI?>MAV^mbsnSalF(^$ynh+qA1V{oRy%*_Hq)HJGDS}851Qeu8
zm0qMtks<=p+e^I9C)f9`|IEKLbLPzC?C+ejzIE2#YimL93FrVMBqRW7sP-MesW^u{
zH+6>DqeO&p$D-H?Fuo#L;MxJ5^4FRXJ*t?r)d-SW+I&hXtCuy(GV+#cMaVUdFyT1W
zcOBfk3myUJnlkx(hJ=-SJtc5ME!G>agu|KBDR!1whPMj7#z1wRb3=t;x~@utqVcf^
z>awI^ZN$A9Ena0hXimbFdt9ieF-~I@Lwxdb8Bg4v*A8&F*Wh99Lk?NiB+0r;BIZX>
zd<<MYC{9RVkIFPA)|RWushElT0s}ebAhTjKI4d8|C-HTK_guBn)C_9cY()6NEigny
z{{$qi@6q^1t#lVN15MTqE<-L(;%PyMNgfw9kxpRWS>+4>p!JWaP-CyKL|SM$BOOs9
z7D#89@O=mS_}j+N22ncC9eqL1$!c<HgNm4E(;ymJ4(3T)ccy`IyU~WJ$uS4}jE$Kw
zxt-MXg8{S)RZb<b!+jnxIzrA3g}yK+152CQ<b$17u>=jZcCb=Vq*;$(Jt!Y+lQXTV
zPx@-kOxBuPQ%N_dV(>YEg>ofF$k|jSX=iP?VxfQa+pr#y+knW%ZxrWB0;nO57K;V%
zsM7?Q*aQb|CKlmkGlHo&ir(F#nl2mk1I{n`C%o1oMMRMngWa9A*vZ%fFvi4N&*H0(
zFC13fH>t?pzbjFY<+Jg<Uqk6C)wvHSB9MNuwTXHZv_PtTR<v%baX2csz$P}Fx6Nih
zea3W+rBS#T{i(!y>K;*$ZE<0Zx%#n&<XswrmGK5t^znlcaF7nFJ(jV?QGL?Uj8c8U
ziD$@_`{wJDaPdeHwI%Y=cINFjd+u)iKsK|F<s+URXUZou@EuF%DguNjg1wI|j>&QR
z!|YCMXpRQ}jQw$cs7~*XxuYX)d(vV$5e=eL0c)ONtutWOGph8?;rrR?(P8~`50r~*
zxr=GWUNR6MO_fK*mrAd%eu%6qAF_9|P5Df6-Nuge3P>#0Cq@shP5-&b<NRa{cZMif
zd{9BLi>fttvZTC{Le`c9#Qj(+nz>hqkNjnjUVwOo=E_PDl2Gl7fbEXE&~#h7@;M@S
zIt)e1OOUM)VNA)*=H&GLL@7Q#@gPvs%_XMA;B1i{!5QoCm4ZTHx&1=l1V?MlcDk+_
zl7_QP3mi>P&q@2umx)8m(9(u*l;rBCwfUMoK_+gOb@C@1F<l$>-yM4*n4wH;Gr}vH
zmG;+PYnI(F_GOPMQYG|-GOm(Vl$#i1^h;U{?{i*m7MWKdmo|#nDxjq~wj}aOomHI+
zET|9O;txB%u*-l$S~%~bzaSRr^M6E|6^pbh(%DkvFOk506c`5>0*wRwFTuFoL5fBF
z%>ljnnnY1pi1-$lpME|&)yGx*F>daH#Yq;OSAHSE=dC4V#BN9!8&@Z!_3ky>;DPAy
zm5XllE`r})pA2UxX;=F~VFa2EeZjJ9Fx+dRplO+y>aJ_S>uD*tBzh@gnVWEtACV*7
zPP)e(xiG$UmE)kta!ko*40yKW&~}~OK|3L$q5M`J#Z}MJsq|u@{R}?iK<+8u><s+F
znj=e%gFc(~xy&Y4KZY%V_vjvqXud;OeIW0qK!bfN37v~O+xWEqjdUipODB>gD?~VS
zTr8hE^kd&W@sH?G133Re=QJ)DM>YW7yleO51Gu9Q8iqm(nOj=I(QqWf++N5EZV$_e
zYeS5QQU$GflKQ$D#V*tNQb{pnt5TAaNqPd3v$!k9MOlrUp42JZp=dK4Qy%hlZFC-9
zh@p%UQRC%3t0-mk(j%!<#c-M*mJ;jfef*}%8l->_C{By#k?DAQ{u=xF>MZ9Oo2N|y
zBocJRmg*&{R7K*lg5fk%eg#gPsh92=3vdPpk~3+&1okq(rMZRD5)(Yi@f%|*dY*c=
zyF808ez~GedK>lBOS!;<5uR5+AkQS%jH%RFWz{*K8qL|m5&m_Vxp*a@t&D|0y(?}S
znSU2=tr&bf(pur#_5K@?RC(!BiJ&jWeD6ET^xt@P)TY8a4{S`|vK?uN%>c`T8oRTj
zXg9yBQi26!O#`|$=azRcTMw*GT59&aH)_1`3orUmHw`sQPZ4YKhDw97-UNi$D-$nG
zJxAR=nk)71c-c~x0Mbvb5+2cJO|$yKW2kHU%DVPTFe5qo9-jLJ6)ou(_>7-+tIu3>
z8#hNTXJ^Z4_$t32fp*^6^OO11S{IJou5VS&6EH0rL_b8ULe^Y&mhH)Qn|%un2Q?xO
zXQi8cY)1<mP%3d$giRi81#thaZu4>!YWN+ew3uY@ZK(R@c%>mrgZ}MjaL4tNG2g~p
z>YW%y6%NoSKgVlyO}H0%cktrP1;wYcE#L(^$4wR-qg1a~mu+CbHwfX+$^!t90HmBo
z?(pBJHUIe!BY+w3PrSi60s(m9k3yh7KFHIQ%ZY>hVAPIW;9F0@HcXg8NLoa1)<Ytq
zmGeHie4#?7jFE*^d22lnUZ2&f>Qtj!SjRCc3i@wG)mZIuS%ki7h;JXX+dlfX_tlpN
z@3qit7ro*U1ETF$d*6oXb7+fVfV5o0T2)u=-T@WG`@T6^#{n4b2D&yRHR#6EINuqL
z#<Lsb*yqv=ej2#h7yH85OtKHS^a?scQQikj@B}N`M)o6Z;wUeyey`l;&2Fjsn(#c$
zzt5lc3ITIKucvWie4416i~m$>(v?G@c*xX*Zks&I$aYr}<0p<h31EM-XzjVc`)=D|
zmB^|@u_7<_)pJ#YQQ{X6x9lVj?LAW;=ZQSfF`VAx@<8yL*1jkh5<8IpG;s20@`S}q
z3NM_mZg3D!-c}ma52BglQL$u^)>79`pIs7(V!N9lmtKCOdglFBvRq3qJi#POH($+t
zFvTmRSAiE;a!rXKXH(i|I^u<ZV_CS&ii0Qm74ap<5XpmlCIM5&7Q2ze^{rzDw?*_^
z$6Od9rr2ij=-50y0&h|>TDOC=Eynw96QdReRbFJIa`u+ihr~Cj5{rkddQ#Vd+1Rqg
z{84;c<H^dCwlES?aAxkirV}JFg*qGkkU5nvH@v{-bKmNf{j02zy=h(k8ZA-rT|-mz
z*Z#S8q5P@XD72eB424tbCLISTR&b8%OsV(WL5d-nws@sCL%`2c^mg&|7y9l<R#?l#
zZ7jRGSnxTRy}2<1p^;CNk>8QcJ8*e0)VcyJqBW$q_eQo}(Yc$bBt+`siMcLmm9&`w
zjy5!Zr?)u#r7aQJ5wj@}DxB>xr`F*&@G0e1x{QehJ_5?3Ls#(1;qAv>;f<V%oYLfM
zluljD-aE(pao0HLAh2ypSJJC~Myu$#ohpR0v96zmpz4={#@&Hdos8)hoP9pE@J^p4
zrf>IzpMERQ2!fHbYXZSWk0DD5yCt+s<^6}mdOhH^hTh|s6QwduL$CEd!8)iVg;m}O
zH?a!E5AmmD($i;adFGCbaS|+ar~3GHqV1%t7<yF8MkEj4vhh^hjf?J7kV*)KAba@3
zCj114-!VJyP`))+YDTa;$^f2KzFL(oH|J<d+58dEsR|0PyZrcu^1V;xDaeOr70~H&
zx*U^85U^k_8DtmEbI@)0LPRfDZA;<97_f%rhHIl$r$<YGq<7q^eo*QaGjsEI{k~{2
z&2~Rc|1VbzpJlv5>l3Sky}M@3K8y5Ha6KKLzS!1%^@&}+!wez!m%MHjy5sWsyBq;m
z%Vuvj4E6apZsaYYZce8`cU_H(ix&?I^R9(hRmVg(N9;0AaY<ZPH>6?w&PbG{<@V|o
zE#)VKTgkJ@b>TjwB%$esdt=k=d4?$Yd(HknV~7BSZNAlWUg!<krAvVglMch#PLeVK
zkG<sXu{g_9ACy2>b|f&D#u3WYE6a0V$Q%SSuYYtWdmz$r`LQUAj0)|s$b@^Y-0BFV
z&wW%v-0N$S0p-V|AcM6uNU2xkM1gCkdrtB*nl+aI!|W5yT*~D1y74wsoD3f7E6j#q
zi>mS2pECHrYzfUz5?dh=XdUx=_CGrCqS$V1i$~VH<{rl9s-ZY4u1hBlABE3|4&y(b
z>eC3-Zt@MUG__GoR--&<6k50TJ|1baU!N|NG&7sckA39CNf^6rq+A28dts^;b=#3(
z)Nd;wUY4t)=@607KB{dQ(-GRC({{1BLMII4PjP?6=xO1=b;*!DW*7dw5(odG*3^kK
z-H%!KwJ6Bi$~1RFBVO2Lua7L(Du>mA6wY0SzKwtzbakV-;t7P6UqmPaAvb0^Wio^n
zuTe2VrHD)71vjQVsnG9B8t$}N+APyXUHo{EuahPqX%Ur}+>?Y+vdcmUuj3QovpnPl
zZSm=A6l9Oxm(g(EG=WONss`AD<}DwekZjmWFjfcC2$1D|ef+i=rYCZJauQ7L1TB8O
zQ`+Ud)tqubO7>p)&5`qo=3YU0I;HFh0S@;r!H7UfZ276j{}b*w<MX4spkQb;9AW)K
zK48&uh(=Mez@7AlDU*)NJ@OY^DzYGXPl>fGrGXrwekv^(sA;a+R3=N)8n&h!G*-Gc
z(Q8-G84kzO(=n25N!&Hum9CYqQ;IPNHjyD6Zt!EGm}vAuT)Fa)pW!9vXDfucWn{$d
zk?=)~@TGfH5?UL{b4kLsx&19FM5u&YYdXfd-R*WP8IR)SRq7t6gtVDW0hg-JVDRNA
z9yojSEnLv1YtyX(nmn(hUk?3Z5qg2BGj_I1O0$ZTZ10&{LFDo(7uhJ}dAVKppn=Kt
ze03^uo&%9bl^1X2`a+m)iIWXZnetbqd`(9r*ly~K>0|0~cwNkpEn3H-fy83=&tgme
z6ECz4%mF6y<9Hb-xfAi4$T3l}ptS>fzpn)|RcHG+ZeA8V=fYQ_Trt6vR576Ok~4pG
zV=b@s=FE%CMp3gxk5COc57n^n+Uk=`ZZ|ax)qGm!i5q;1ogF%hvYC^0h)EH?QVKNb
z%l^kb7YrZNdsX`72xxJxPmc<7W(J}LVlQ{pvaDztWNy0~!09BB$*DO+CT|L3?WL1G
zB%R5G(;~fi>pon0=cK*C8#p?^MZ_cdq*_P?cBwbRBhvJY#?S({JV;h`_>n)PY?gB~
z*^|oMzsTo1Rhm~}+YWmUXEz6}^jS*SGJOr8kNmZuEcp=Ni}`-?r&oh4&T_Q?z(QTz
z^hocS8PIr%&@+?B&s5!O86B11XYnYV!sU*3+b1b@1M}SXEA_o3ruHV->c>Ino+oZn
zdoimHPvh%oWKw2di?rVNv&=b^4ePd|7ThNH%DH3bv2=e`y0Jg`0%26n$O8`Xq3&lF
zzuqw?8b`5*13(}iR*{N~0NH)IOVfmm54)~yqQwQN4KK5J1gt?ViAU?sx2--=eQ7cS
zUc6@5bk%7Pp<|O`%c9htCIj{;$<#0c#~^CO81ZVtRdsiH$iouTMwbYVP=peKkfmZ(
z6B_9#>%0R0_IkJn^60iMT&bw*5?<0lH=gT7G8C+E%tvU6t^tGzj&rn0-g)Ge(q8B-
z^%&MVAtI~)aczJryT+T{$|7lXbM-{3{;1*30<wdMeY?#1h!#h%?UHprocHP_`4hot
zu>><x#)=@;beZb7Il@rJIC|B_b=+(erBdBF3TrirtAhDbfkz3Wc+j^7TZbR@Q^{M_
z<Q%y-gLE?a#RGv7F|kSR-D#j1kBVEEmqZIWy@W}Y7O_6_Y8uA$pWW7@O&*P)<3uWe
z9)7i>43<oOwVC~!Jbd$F7K#=*;x|iuDvPrc)?M}RYFVRR@LiMkp@4^+w@jW?Y}3PN
ze7&|?HJ6pjUFl$|LLXpY1nD}H059w_N%J3Nrz$QVh9tVQUD1({^SV@2zngA`DJPER
zzX^P@Bk)P^J0$sxZMx&cO;U~d4}t2rCBAj<K{hV)Zu=Sy-(HIi&e}OevzZ*?ndsyJ
zBi<68ZK3YnUr^9ah{b<UNC&<W@({=oY3a?#TRrzxu;fS{IFV7W1WlHyo^EA*(_%`?
zJFH9h=z(Z3<rwqfp7yIc|6Q7xbK8a|GyW{#lCtxk@B)02>xY#VWEnZ9LeH*ZoSnm)
zbCn~VM_GG6LUB8^*NRfa%_4e#bnJL%=m5WFXs72$xEb2t<J3e=3-b5G(*q8i+Wrb4
z_E!HjboxF0v}?yrL4HLAmP`Lh|MyJf_w3WI7U%4L1qZ>Oeg5w&opv)g7yK)(W6}CA
zgYtiR;-BmPlPCJMel#)Q|KX5+uK%;yINgTeI_6)|hiy#$DuMs$pMOt2T}yGD%CATy
z`*-r+`j+4GPuG^ebAXcK=gm*m-`~?uD+jIs{R(;PtNeKO-^<bOOPr=QPGWvV2KIse
Xhu~;I2#IhPox}bB*cL+RN7laps10!K

literal 0
HcmV?d00001

-- 
2.39.5