From 4d175324f2982b6b05fb7a5aea52831aeb2529e4 Mon Sep 17 00:00:00 2001
From: Dominik Stadler <centic@apache.org>
Date: Sat, 30 Dec 2023 19:39:24 +0000
Subject: [PATCH] Bug 66425: Avoid exceptions found via poi-fuzz

Prevent ClassCastException

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=63736

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1915003 13f79535-47bb-0310-9956-ffa450edef68
---
 .../agile/AgileEncryptionInfoBuilder.java     |   4 ++++
 .../poi/hssf/dev/BaseTestIteratingXLS.java    |   1 +
 ...nimized-POIHSSFFuzzer-6537773940867072.xls | Bin 0 -> 1782 bytes
 test-data/spreadsheet/stress.xls              | Bin 62976 -> 63488 bytes
 4 files changed, 5 insertions(+)
 create mode 100644 test-data/spreadsheet/clusterfuzz-testcase-minimized-POIHSSFFuzzer-6537773940867072.xls

diff --git a/poi/src/main/java/org/apache/poi/poifs/crypt/agile/AgileEncryptionInfoBuilder.java b/poi/src/main/java/org/apache/poi/poifs/crypt/agile/AgileEncryptionInfoBuilder.java
index 0674305b22..dabc789e8a 100644
--- a/poi/src/main/java/org/apache/poi/poifs/crypt/agile/AgileEncryptionInfoBuilder.java
+++ b/poi/src/main/java/org/apache/poi/poifs/crypt/agile/AgileEncryptionInfoBuilder.java
@@ -36,6 +36,10 @@ public class AgileEncryptionInfoBuilder implements EncryptionInfoBuilder {
 
     @Override
     public void initialize(EncryptionInfo info, LittleEndianInput dis) throws IOException {
+        if (!(dis instanceof InputStream)) {
+            throw new IllegalArgumentException("Had unexpected type of input: " + (dis == null ? "<null>" : dis.getClass()));
+        }
+
         EncryptionDocument ed = parseDescriptor((InputStream)dis);
         info.setHeader(new AgileEncryptionHeader(ed));
         info.setVerifier(new AgileEncryptionVerifier(ed));
diff --git a/poi/src/test/java/org/apache/poi/hssf/dev/BaseTestIteratingXLS.java b/poi/src/test/java/org/apache/poi/hssf/dev/BaseTestIteratingXLS.java
index 6e18940a72..b239be7923 100644
--- a/poi/src/test/java/org/apache/poi/hssf/dev/BaseTestIteratingXLS.java
+++ b/poi/src/test/java/org/apache/poi/hssf/dev/BaseTestIteratingXLS.java
@@ -89,6 +89,7 @@ public abstract class BaseTestIteratingXLS {
         // fuzzed binaries
         excludes.put("clusterfuzz-testcase-minimized-POIHSSFFuzzer-6322470200934400.xls", RuntimeException.class);
         excludes.put("clusterfuzz-testcase-minimized-POIHSSFFuzzer-4819588401201152.xls", RuntimeException.class);
+        excludes.put("clusterfuzz-testcase-minimized-POIHSSFFuzzer-6537773940867072.xls", RuntimeException.class);
         return excludes;
     }
 
diff --git a/test-data/spreadsheet/clusterfuzz-testcase-minimized-POIHSSFFuzzer-6537773940867072.xls b/test-data/spreadsheet/clusterfuzz-testcase-minimized-POIHSSFFuzzer-6537773940867072.xls
new file mode 100644
index 0000000000000000000000000000000000000000..646cf0d46a3af313e65d18914f5053de2eb30207
GIT binary patch
literal 1782
zcmb_d%}x|S5Uyc=2SwQxQ1FMwF(K@3!V(h>k`M^;0&3)9vWW?a35g~fE?&sK0mvKd
znG-i|?hy_~-hd_Cym$~IQDOM1w|k~{GCg~6Yw}H1f7M;v+f`G2{Jqd_?oXT!5=%<H
z`Lzi9+IJ}%FhmY)hLmA~-}h;~T$NhUpkn1~l%*(Pj$I$&6j3o93HILvpLG51o=`T2
zjybT}Ijbk?n2r+hW3?r9sOBb0!GdOBg~m>3##p%?xiFVpVZiz0%%_12z&Ym_dB6p@
zHf{m8fg#`y3Azi75}*Q51nvPNz$h>V+y@>2<G=*)5O@SU2A&WtO+pJ`3U~^50PiD|
zlhFJh3vqQNC5G9J@#gUt{hu+8zEc-{k7x_X2{+^weZsSeT&&VZ=sJDo6HAnN!EVkz
z=Q_j3D?cVjGDHJP+mzWa*6{0f+MxGx9~-tMR=!9B=4Zowqo?rx&Q=nq$rGxHlJF{?
zSFMQ!w%^GLC%W(j(YapV5^aYoKZcj{Ih5$0ui`k{-~&M%@D7zb@h`PQ^D`FSweS@S
zU+VBWe2jMU$Za-5dz0UCM=gi4XbiJ-h`pupa2MDDShF}E&^a1>cLYrjtSJpWn4{MG
zmtW2F>o+e~-!8jz?sMgOp|6``zK-MzcM_Im*Xzbe$2nkQk=zvd*JwEZo}u^u_~X+U
RcP}NfFjZ;j!tA(^j~i{9qWb^<

literal 0
HcmV?d00001

diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls
index 4a146faa1f53de54d33e403d1daa69b1fe411a16..26af0e5ba373a84d40f5ee9c8aef40192148132b 100644
GIT binary patch
delta 3051
zcmZvc3s6*57{|}qUDg#B?gF}NY`1L2oOHEVc`T^dVqjoGV6Gt|`KWeO1WNEhDk##!
z%*@ZS6ph}Lsp;)$YGp4oN-a=iMjp<j2#%vp&N$5^efRJooICB#e#80S-}!y#oO>^o
zm&}z{%$s7uRxtWF7+bb4d8;{MDF!#YySsaT<<M?+@3$<p4NVQ`Y$!`xKL3f5(gnpu
zORAZJjjV^Y_6;FXR>m5&sIU}2*R(+9y*8c+IcYKA4-9f7#K-!4zSyL=n8XBMjBhNg
z$-d*Z1w|!gr4fuxDlDGAXjts9qT<qFPZpOIJ+4&+LPDaWStoN2V9bs!JK`BT5YAZl
zbjEgvY1{JhIQPQ!S$BGmgbvZy#8x3^#;>>E*upH#JEHG;2n%6eEiFHzaE#65U_&@#
zR(3a5#{67idglC}%%xQv-EOV;7dNg?aj`{Mdqx~b`uciCCLD#~h?}fPnsL;VTkx+j
zx2O<yJ1ZoE-mcH*<hpMOkxs7r29nQNaZBjr{e@26U+9vAE=lMT!UPh!Zuwlo7o@f>
z;aiLz{XDLBW6boT-E+Lk6mdlDJ5H`2uXgaHW>Si1Ke%^Xb1|%L7|BbZuEE2ff(EQl
zZ*KJPB`_LmDdaYK)H0f26%+I|=|^Q{`j(eMZKInngM*Fkq@~Cm#w!Ex)<)ykA~+lJ
zF1DN;HpyWlhvSr+uYl2~`Wyo#N2qX=lOt4egp#8Y9nU~bKgS@+q2GEJTS*SP<gk<D
z3OZJS{dC_t!XyVi)#zAFj&R8lPL4UJ-Mj);_H!tb17BTqRFcCXIUM9TfsQqBsh=Z4
zazqNpT5?26j!1I&o7}t#@|)ah?|q4q9D{{p9c*dx@oK1V^6+Qj2G-|b_!$p>9<s5%
z04uSshq^O9{vxzt-2g+IJ^Up|#kvtnu)eI-H19I;O^|-p!(V|?tec_std9dUVci0b
z79W2V(px<IH7Lcp6>71*4)s{yfE!r1!SGg(vYoc$5!<POf>u@8LD^`^*0-vBC)Bli
z_?ysxb86}OeRMs%ZDjB*%3^vl9395@J_e6Pe<*t&ORw1e+r)Y$)@xwL3icgh$5OAI
zZL0DvWwDeUYg2>oQ5GjT;|xyxCy9^2`^3geY`lThUpW{1fY=1;mDR2)b(HxiD{ohW
zA5xYmITH=eB;ovs*d&QfGO*(WyNlRy)axep|CqAzl#M#426t07L2^zoIFp5Q53$J-
zn`~ew3U)8C6RFppbE@(QW%u`FTJyObrr<sb{gTvgkfsRfeqvK3HpReB60An-Bw9er
zU#jvcWe-pmdR`5FMp>%lOf@*ug!6M^(<C;{z)lwI7sO7cUK`J=%9oTqNZA4G{}pBF
zk~7`l%n;54#AZlrhJl?T*sqD5LcJzlP?dv}Jw(~U3u^EXWm6^RRD&~9I1dw>DY2Ob
zHcPPI5SvB4E@S_1DSMc*=nggb9c9^)Guz<I5zZsT=16Rgft@DU?}?p8y>@n}$`6!1
zLfJ9w|08A7CFgX5Ga#Hl5gU-$fPtMM*q@1=LA|mrs>)Hy9;K}Oq8j{#vRuiTYjDmK
z&SS*Rl-QXDHczm>5}QZ8Zess>%4ShEs#6XAMp?e(%r`h^3+L~|&X(BO2DU)3$B8YV
zUVA!K<pgDqQP$kKICzq>Ig)dZ!8unr{~&g*#LhLa^91`RvGaQScd1GPW%GM7t+{K2
z32HB8?7y63w#PB%$C+$zb+rX@u0}!bRlDs_OV^ah@y#6WvJ8gGtAF$5P<E}#l-{BJ
IbIof058%g16aWAK

delta 2392
zcmZ9NYfw~W7{}jtce%43F5P$DY5b54b1Z=k5RWKmYD!3mfN_zM>4S-)q6U?<NLB=e
z+gni<mEDVo<Wy!COp6q|2sI-&CtP7t6lR=(PdP}>9{voR!w%2P`Mv+=_kS0b!E@E_
z8L=OTbyhHZMKHGKa7u$c^7`cD<n(tX9bWflxmq2M2H$dYy+0btR#cQcvVGU)vTf!2
zSp?g8TJ8(43vdK7_Lm;*OiSgldQQgO!FphBKtNO!8)i2JF&0jn2NM`8oul7Tkk7eW
zdJ1okYY)BAuVj1a+)gj|tY-&vF!#Kf^8gmW+<Ir>>QX(Yqb^YI>h#(o+r><P`xo@`
zzjd3kg)=rmH)V{on^~z$I2*&a%Hp#s-zIBmmdPVDx647AJEYRB@|{xab|sh7UK{NN
z(p_$&m&35o^~tge&LG2?NX*|5#B6j{F6+Bpe79_x<p?%8LJY?qI6_R05I82u@tAb=
z%-kc?<Onky6>x-^9AR*j^|*MYtexfX|72(0i_>sC4u{j^aKbS_jwj@`S&lg-hhjLM
zghMeo6gV<_U3{<H(mV5BB211*!|@axktRnZ9LLD<wCtbdh%z~%4TlGgXp<uvjs<-#
zUM17}lK4JZ-KX+u*+TOf*-vx74C+_;v(ioTIa%DF#GjW9G;8D;A}`2mG;8IZ=Tu&&
zXP;}b@fYRfKPrDossk#omw5w8{D7>d>6IsGzAPt+OR1h$`71Jy=Bu)r=4-NrW`pcM
zuWGO3vZ`^}H|VL2KKd$M*8eM-{=m&Q-q=B8=TBv2nosaIWwB4?Z^>Gpsx;z!0nXcf
zG0NLuv0xKEp}YeY2NrWdXzzl>PceG(-y_~~54UlTL&&<ZUv)t!?}6O|)=cbuumrGP
z>iGaH(bSV@=}9trK14PN`*DLp`3P(wSP`+0!IHsh28H$s*dkNUB1?~E^n8k}hJ7D7
zKLc9~<{T1A6IcpZ@{rIz2U}w5Sz_r~YV<TCyL2k6dxsir$`^pCkfvM|N()#T*yf8u
z`x0!Ksc4y{Xt_~z7}@36KTgh8uzSHqiRoY~z;3-Hw6DNcntE1RdR7@dUn9E;`#UZP
z<r}d3z#54i0b32$K|SAstughivGk-HJx7sE$Nt=5p?n8+KUfB_@4+&_Du;#k1K3(q
z&ss}QrqS~wvYFWLB4-=e17H)xj)7%?#atHJPhjh&7(My_fYw=hvW=eO$Yx`|>atKy
zfUO5>CiXK}4p=Ys`~sG1>dCeA<QYBf$mU@`?ut-;1=|2tMC>HkgJ3mRgmwxn-_(<D
z=_xRJI*={EzK@)z!3x2gBSQHNtOzW5L}<T*Z8Y_4wDc4kJ%1oujD7FOR^?Byho*Z*
zg>nY$;pv`Hp>=|7GWBe-^pqGqUC5S9Wp(f9JX`D4WP5l#W2uzz^c-5~kXd8Va>H17
i@QG7*Ee_WDxSZ>_L3+l<>0kEl@oJm*U;V%FK>PoCGzn+`

-- 
2.39.5