From 6622d9badb3590cb6190d912730548635a359dc0 Mon Sep 17 00:00:00 2001 From: PJ Fanning Date: Sat, 19 Feb 2022 11:28:50 +0000 Subject: [PATCH] [bug-65899] fix issue where malformed tnef file can cause memory problems git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1898208 13f79535-47bb-0310-9956-ffa450edef68 --- .../apache/poi/hmef/attribute/MAPIAttribute.java | 12 +++++++++--- .../poi/hmef/attribute/TestTNEFAttributes.java | 13 +++++++++++++ test-data/hmef/oom.tnef | Bin 0 -> 53 bytes 3 files changed, 22 insertions(+), 3 deletions(-) create mode 100644 test-data/hmef/oom.tnef diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hmef/attribute/MAPIAttribute.java b/poi-scratchpad/src/main/java/org/apache/poi/hmef/attribute/MAPIAttribute.java index 18f47d0654..0338ed62dc 100644 --- a/poi-scratchpad/src/main/java/org/apache/poi/hmef/attribute/MAPIAttribute.java +++ b/poi-scratchpad/src/main/java/org/apache/poi/hmef/attribute/MAPIAttribute.java @@ -150,7 +150,9 @@ public class MAPIAttribute { MAPIProperty prop = MAPIProperty.get(id); if(id >= 0x8000 && id <= 0xFFFF) { byte[] guid = new byte[16]; - IOUtils.readFully(inp, guid); + if (IOUtils.readFully(inp, guid) < 0) { + throw new IOException("Not enough data to read guid"); + } int mptype = LittleEndian.readInt(inp); // Get the name of it @@ -164,7 +166,9 @@ public class MAPIAttribute { // Custom name was stored int mplen = LittleEndian.readInt(inp); byte[] mpdata = IOUtils.safelyAllocate(mplen, MAX_RECORD_LENGTH); - IOUtils.readFully(inp, mpdata); + if (IOUtils.readFully(inp, mpdata) < 0) { + throw new IOException("Not enough data to read " + mplen + " bytes for attribute name"); + } name = StringUtil.getFromUnicodeLE(mpdata, 0, (mplen/2)-1); skipToBoundary(mplen, inp); } @@ -189,7 +193,9 @@ public class MAPIAttribute { for(int j=0; jPk_z{os-jX{Nhfq@Z-nFSacI271`ECz-HV3NTNM7gvA