From 3e964966cc4f5379e3d0170fdd3a2a0c936d4b18 Mon Sep 17 00:00:00 2001 From: Nick Burch Date: Mon, 12 Jun 2006 14:06:08 +0000 Subject: [PATCH] Better handling of zero sized images, and where the picture stream doesn't have enough data left for a full header git-svn-id: https://svn.apache.org/repos/asf/jakarta/poi/trunk@413658 13f79535-47bb-0310-9956-ffa450edef68 --- .../src/org/apache/poi/hslf/HSLFSlideShow.java | 2 +- .../apache/poi/hslf/usermodel/PictureData.java | 15 +++++++++++++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/src/scratchpad/src/org/apache/poi/hslf/HSLFSlideShow.java b/src/scratchpad/src/org/apache/poi/hslf/HSLFSlideShow.java index e410f2caf3..966ebe7fd4 100644 --- a/src/scratchpad/src/org/apache/poi/hslf/HSLFSlideShow.java +++ b/src/scratchpad/src/org/apache/poi/hslf/HSLFSlideShow.java @@ -219,7 +219,7 @@ public class HSLFSlideShow extends POIDocument ArrayList p = new ArrayList(); int pos = 0; - while (pos < pictstream.length) { + while (pos < (pictstream.length - PictureData.HEADER_SIZE)) { PictureData pict = new PictureData(pictstream, pos); p.add(pict); pos += PictureData.HEADER_SIZE + pict.getSize(); diff --git a/src/scratchpad/src/org/apache/poi/hslf/usermodel/PictureData.java b/src/scratchpad/src/org/apache/poi/hslf/usermodel/PictureData.java index 2f37b72df6..f040be4859 100644 --- a/src/scratchpad/src/org/apache/poi/hslf/usermodel/PictureData.java +++ b/src/scratchpad/src/org/apache/poi/hslf/usermodel/PictureData.java @@ -63,9 +63,20 @@ public class PictureData { header = new byte[PictureData.HEADER_SIZE]; System.arraycopy(pictstream, offset, header, 0, header.length); - int size = LittleEndian.getInt(header, 4) - 17; + // Get the size of the picture, and make sure it's sane + // Size is stored unsigned, since it must always be positive + int size = (int)LittleEndian.getUInt(header, 4) - 17; + int startPos = offset + PictureData.HEADER_SIZE; + if(size < 0) { size = 0; } + if(size > (pictstream.length - startPos)) { + int remaining = pictstream.length - startPos; + System.err.println("Warning: PictureData claimed picture was of length " + size + ", but only " + remaining + " remained!"); + size = remaining; + } + + // Save the picture data pictdata = new byte[size]; - System.arraycopy(pictstream, offset + PictureData.HEADER_SIZE, pictdata, 0, pictdata.length); + System.arraycopy(pictstream, startPos, pictdata, 0, pictdata.length); } /** -- 2.39.5