From 6fae5bbc185301057913a800f14202be8d630cf2 Mon Sep 17 00:00:00 2001
From: Dominik Stadler <centic@apache.org>
Date: Sat, 7 Oct 2023 22:12:25 +0000
Subject: [PATCH] Bug 66425: Avoid Exceptions found via oss-fuzz

We try to avoid throwing NullPointerExceptions or endless allocations,
but it was possible to trigger one here with a specially
crafted input-file

Should fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62697

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1912793 13f79535-47bb-0310-9956-ffa450edef68
---
 .../poi/hssf/record/SSTDeserializer.java      |   4 +++-
 .../poifs/filesystem/DocumentInputStream.java |   3 ++-
 .../poi/hssf/dev/BaseTestIteratingXLS.java    |   1 +
 .../poi/hssf/record/TestSSTDeserializer.java  |   4 +++-
 ...nimized-POIHSSFFuzzer-4819588401201152.xls | Bin 0 -> 3182 bytes
 test-data/spreadsheet/stress.xls              | Bin 56320 -> 56832 bytes
 6 files changed, 9 insertions(+), 3 deletions(-)
 create mode 100644 test-data/spreadsheet/clusterfuzz-testcase-minimized-POIHSSFFuzzer-4819588401201152.xls

diff --git a/poi/src/main/java/org/apache/poi/hssf/record/SSTDeserializer.java b/poi/src/main/java/org/apache/poi/hssf/record/SSTDeserializer.java
index d840078c73..16786e6dae 100644
--- a/poi/src/main/java/org/apache/poi/hssf/record/SSTDeserializer.java
+++ b/poi/src/main/java/org/apache/poi/hssf/record/SSTDeserializer.java
@@ -48,7 +48,9 @@ class SSTDeserializer {
             UnicodeString str;
             if (in.available() == 0 && (!in.hasNextRecord() || in.getNextSid() != ContinueRecord.sid)) {
                 LOG.atError().log("Ran out of data before creating all the strings! String at index {}", box(i));
-                str = new UnicodeString("");
+
+                // not much sense in trying to continue reading in this case, file seems to be broken
+                return;
             } else {
                 str = new UnicodeString(in);
             }
diff --git a/poi/src/main/java/org/apache/poi/poifs/filesystem/DocumentInputStream.java b/poi/src/main/java/org/apache/poi/poifs/filesystem/DocumentInputStream.java
index a4e76fab89..92021f2f26 100644
--- a/poi/src/main/java/org/apache/poi/poifs/filesystem/DocumentInputStream.java
+++ b/poi/src/main/java/org/apache/poi/poifs/filesystem/DocumentInputStream.java
@@ -169,7 +169,8 @@ public final class DocumentInputStream extends InputStream implements LittleEndi
             throw new IllegalArgumentException("buffer must not be null");
         }
         if (off < 0 || len < 0 || b.length < off + len) {
-            throw new IndexOutOfBoundsException("can't read past buffer boundaries");
+            throw new IndexOutOfBoundsException("can't read past buffer boundaries with off: " + off +
+                    ", len: " + len + ", b.length: " + b.length);
         }
         if (len == 0) {
             return 0;
diff --git a/poi/src/test/java/org/apache/poi/hssf/dev/BaseTestIteratingXLS.java b/poi/src/test/java/org/apache/poi/hssf/dev/BaseTestIteratingXLS.java
index 26627b5a9b..6e18940a72 100644
--- a/poi/src/test/java/org/apache/poi/hssf/dev/BaseTestIteratingXLS.java
+++ b/poi/src/test/java/org/apache/poi/hssf/dev/BaseTestIteratingXLS.java
@@ -88,6 +88,7 @@ public abstract class BaseTestIteratingXLS {
         excludes.put("64130.xls", OldExcelFormatException.class);
         // fuzzed binaries
         excludes.put("clusterfuzz-testcase-minimized-POIHSSFFuzzer-6322470200934400.xls", RuntimeException.class);
+        excludes.put("clusterfuzz-testcase-minimized-POIHSSFFuzzer-4819588401201152.xls", RuntimeException.class);
         return excludes;
     }
 
diff --git a/poi/src/test/java/org/apache/poi/hssf/record/TestSSTDeserializer.java b/poi/src/test/java/org/apache/poi/hssf/record/TestSSTDeserializer.java
index c627bbfc55..3dcdf87a27 100644
--- a/poi/src/test/java/org/apache/poi/hssf/record/TestSSTDeserializer.java
+++ b/poi/src/test/java/org/apache/poi/hssf/record/TestSSTDeserializer.java
@@ -18,6 +18,7 @@
 package org.apache.poi.hssf.record;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import java.io.IOException;
 import java.io.InputStream;
@@ -137,6 +138,7 @@ final class TestSSTDeserializer {
         deserializer.manufactureStrings(2, in);
 
         assertEquals("At a dinner party or", strings.get(0) + "");
-        assertEquals("", strings.get(1) + "");
+        assertThrows(IndexOutOfBoundsException.class,
+                () -> strings.get(1));
     }
 }
diff --git a/test-data/spreadsheet/clusterfuzz-testcase-minimized-POIHSSFFuzzer-4819588401201152.xls b/test-data/spreadsheet/clusterfuzz-testcase-minimized-POIHSSFFuzzer-4819588401201152.xls
new file mode 100644
index 0000000000000000000000000000000000000000..524001f77e33ea48f7b36a49a3ed0037aabc5f44
GIT binary patch
literal 3182
zcmc&$OK%fb6h3$CIAa2h6Ot6d%PDzh9GsVVN!UD+O%O;a6%qn93Al}$#DUnGY>)%A
zRYhB=V#SXBgl^cdXxMa7Rcd$L1|$#?3nEqGp(aefb7p*NhZ!YCm3qeCozLHWopT?@
z{^R$$<sW})enji+7zOC99i~u;uD}^$5kkFfGcUfGL#oiyGnt9W%uFV~5VMQ3RXD`v
zo3|P4<omd}`8j-BzVxm6|0>onHSb>lixLE?0N#aazy!j;7N7>$3Ty*D0BQjo0jdM)
zf$cy8&<HdE9|Ajooj^0N3)l_p0rmp>fGE%cd<5(VT7fp89q0f$fi9pM=mD(n?@|n|
z^@1M&;y@qJPs$v?n`npzQ6_+c0LSGThv{R_ee}xZzbo(ZANF{^*~e%OPab<QOj*3=
zX#p#Td(H=96V`+iQw&1q2A_UQi68#@=K8OyG+&&@?DI5Dlj6s;Pfvfjo(xr--zGeg
zk^I|p4d;OHbPQ)FE*Ql77rKO!Pgc3{op{Ga&zwDfW^DN6*|Aflb%>vjxNF)gkfOHH
zTl$QSrZ#G~srr$4tS_E86gz$bmxfkdH;f?F6+-qMyz2`=d2cUN+jnjRsi9D1k1JlC
zFLB2oNa!K@cq*OF$G=5(P<S3H6CgVG9mf0m0_TC1F>xof!uOq%2#>&Lp%epDv%-1e
zXJi$V7FUs5%q5jVnUedDDsW^N6Pd$&h2*k|e1b!0&))lr2a;hy`hb35;1%+cNw+W`
z=cUVLBOvXh;5@|E#mOsdB2|SV^kCa>$ZH%Ir?{<f^a=tn;AovV9l?OHle?ckPBbS!
zt!BLdrD$zdkR34=(YE<vuv@zHNO=RL()sTuzE#mJscFXmpNTz9c9if=J@B(+7rjpM
zB)q-`S;|s1_s8*BP8Q#aK0%F1Hzih5w@uE!7l$w5BgWljKGWc=%wt*XEJ!V}CZ1D+
zt7TCUL3?Mu(sqG$T1Yatlh?W3j+C@Ud@@vvvDYD|okJU;w8E~bCABosLObD0*a%6B
zMq0y$aftl$K=O?pXyRJ5X*Uo$DX<RBIyLLktXs1l%`DAgn)PaSz-7D)v)}<b>Mnz`
zG+7UA&O^KEp<VOP=3NadFUB#AL$jzAY(f}olfo9kE^F<IW@*jXKWAk=*KA6&jAmbG
zHjOcz9y40w$Q|w9@i<CH<JcU=5jl+Gu;@?x{2sxLo>E(|e;Yl=jC#5+|Kd_k@KWx<
zEeizYd@5W&FyjgSHE^C_<1@!kfL`EY*3e;Sd~N;BJ=BBnaQ$xfd1(C}+JJ{P6nb~O
zq0)A>N-k5PRC9ef=%F3*&<>YrlJF}moKt(GY#c{B>Y-&b`CM;wWNtp1yNW;A(cD6=
md_KMlyc7JZjMP|OS?RZYdNyb2PVz09pGw>I8#|iL+W!EmMJh`G

literal 0
HcmV?d00001

diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls
index 2352603880adcfa88e6188ee15a73d67353179c1..d06a4e4d5b74ce0d1ad463948d8cab670be9244e 100644
GIT binary patch
delta 3487
zcmZvedrVVT9LLXT0g=~*Az&nz)jy_U*#rbz9xA>7d6$PEFD-4UI4lgxrcMWQ({0Xe
z>TwSpZcgXWxw&bxM-(fGFA^2eER*dIvp<#rjejhgF`0?7-#z`6a&DyIg!8?h`}v-G
z?rlrY&)S}T?cU_@R)Rl~gls&s*rJVTf#Au+#Dwp6lQQ3DDm)voF?i<g5(N(-t2SF~
z?ar1qN9RrwN&3#R9btO{QvwM&<BASnmP7w@RTURg_P8j!JI$Dqk#01mC8wk&r=+B(
zzOcEqGl`JO4K|&n&Ed2;oVvDVo!OzYfwNWDVY9S#SalY&!_nsCnaw(z5SY((!a=iD
z*KY1~>YBQmn{6GsrnWAJ)!fly>zqzVZcD38S7z>T&LAY;?69^1P~tjQ@*rT=EHXl3
zrx6kctKXVRNKq&utKeGx4RQ@s)Y5KKd5m&lWIGTPUVTyixrS)Sy%7IgOSHr^Wgb8R
zh-r@hcpwQRrY*6Pz914r`r`e^VHvb9*gGeh2!(SUtUBIM6|9LQf59w>%%Mt}LnWeQ
zqfg1ko|26}CG)rzxU`z?$8gUSbqvV`wRc8grtF7zrh!@b<SYPYyC!FWB$njidCFq^
zmQmQN7?OtMDC|@WfjhySqp&YA#IDS`p?(y$C6?r)Mp?gKGbU)pxF#JnV}1=-#<=Al
zJf>W+-!jfE!IQ_7#ds|ZA!J<8j0+l%pz#PAk8n*MZt?Amhg<U4f*<ZhC=R%><WB;B
zO|YCh&$=>y%%HRH$^JV};cQc=e-7^#+UGj((=m;-8uvv}#E}A)doGa{vi5U&TEu!`
zEM|i+maqpfmNMOWJuPEJ=i@U>aGo3XB?unMS?~(rTMv&ISjy2kjXQn&ISno-j+oey
z^YOHT^-pmG3l8Nr#*s>NOcxx}(Gl4nPpeo`zkeMef&<=V;8=r>P{9$3jvjDSv)(C=
zFu|cblyRg69pQo_936jyV=W82;9p0C;E=eZ79En{kkGOILOiWw+om`o1xFNj)T1Lx
za73YF7#t1k{uIYEf+Lzc8qpCgIHJ*!<Bq56SiRdo*Rum|JvFld7@OFA7%gn(MLo5$
zl`z^^`$Yq7W+z~@vp*o&z`_Rfw1pXA+~~3noYK%2S>z=>ZDrXoZeklQ8K{FDfw7H^
zTrx=QxRB@gLSAACmu0B~vpJX*T$b&fn9cQOFmuBv$6Q#j^2qrfx_SKKoXE}-*m){8
zk+WUMCSunR^uLVRe9RtQme;<5nVx5xVW#x!RZjR)fd^#^vPlA)q+*}v>{ix(MNeO4
zy;t<oHau^E_dNFNl|*SfX33aET$QEQFiXKK^Qvs`#w=CnOjUI*<efdpE)>{>DpvVK
zjU%rkn}%I(=-+`^I%Xc|e*?2cf^(6|Y2eN`ku?acLB$$5yAxR>b~&!e(k{$0FgtWj
zw!ej0rr^v}IkUL)ZDg|qHcQ23bM_r%v#~2-P?mOMwivU5K{@MP%$5kwB`W7q?%ady
zQZMT|I(S$ky@z2AN=vTG()*Y#!))ty+5Q1$%Y~xls-hLVXfLuW1a^grUCG&f$gae$
zC(yqivsIYQzaiThX1RhhSLMv(&I8Ei32dH<&FAcg$mV0$=^L{25oW6~`yKi}#;iba
z7O0$s-1!Nzg#ufsVv9I?5ZNN^YP=~+hcGL~Z1+vs{wZc9g0n>BEalE#WJ?9MRK=EY
z_As(#*cCA(OP^t8!Yp%0wttRUx!^2UIV-sH2(lFdTcKhrIr{~&mDuHm{-c;xVdjDU
zW0<WGoNH9hYVQ0J*=m8UR<SjlJ&tS*b~$dz(pQ+R#q7{6+1`g)t>COxIqSId1hRDk
zTc={{IeQY>dhALVmZh&TYrw2vSk5|yS)<@=R5{mi=Qqf%!}E_0Z<4;nY`w4Nwk(~-
z%<SvAEoXg)S(DJyr0TKop6`*h_<C;d*TO%6F2kLAdiEEiHca{4&w*c3cJdS}yE}u`
m+zks(m`Hx~@ZoQi%?_BsdhR}eZ|bg*H#9efT#rVAwEqJy@_`8e

delta 2469
zcmZ9Od2Ccw6o>DfnQnB3$1btCF_;LH!H6IX^jY>&Xqgt;p&OJ^Dk79sK&enE#kv)g
za#Tb`RKQvhu{@Kama-(Y1uRfnHD!tXXZ*tu6A}{>t!M81>h!&NnUmb_{?7UCo7YLF
zs@Yw2#=U=nuUz0YNQgC!sby~8zrDS^eeZSD=+3TN;W_PD8$a^bU^qHJq-`%-wQ1{`
zjT^Sqh(RLd8>;s1jTspu#MjnP->jK3&sq`;N-Hhf8#82x_(hC}6T-`#1rvoBmuQuT
zisY_P&T#Fm<Q>UZ!{F%JC0yd(fauyS+#=L(?GYXk8Xet_5iufEG2;Juu_9J9Bt`dG
zFB{?`YvCFg&RKKwju%_OZy!iH(sX;^9o;L%9lk^_o$P+Zsy{PLj=HC!Q)Jkh7+v%I
z$_7h*f7E5nlS2H%9}E-mkVq%1Ia$u9yUl*NfD+F7Wd=>=nn|Tx7t%hiLHh1&lFH(~
z7VeAX8+@2AkDkKE<tf?p=h-BgMZT6KxrmZmqUm^BIzguwQz_@NsFG_A9qN}JU`r?J
zbS`!3^dDS9lyELO+iOevbb1NRIv1W@%r%cH`lScj(uPjwQ=?9Ia4n$U`=tlj(t~xn
zkVc&k&rao9M1|+0CmCW(57p_VRHxG?xh|v2=L52s<ORQ6PLFdfp+c@JsD^7PHF8}^
zcP|8F84bS}kk3%?qF=6}3a-!6ajvVa&Wk5p@;R!!<d<uxf$LiO=~6(Jldm-(*HKz)
zz*vt*`<Q;T8>qHb85_YygEh4(a}(H@2-6SNE5`6&a`?gaJ=(GQHZ~(W7X3z>GM)!Z
z1~Zv$0UHOlx=oo|!Tg$S<5dfPgZvK9c<p%s+3}GqooiF_MY`MOm)j|!-EUN2{|W5R
zX-_s@0-FG~qg@$0z@7xFZ&&6{u!#}ItMEA{I?gdkpQ94lN$Bt8nJ<Gq1?Io3j9p-p
z!SXLFvkGiVgz+lund0ySv}ZT60ra2ZnblxZ!EQ6#12zpT?us&B0ZXxYQXC#rduot1
z(O+^!8Lxsp4OYwSHLz5$Cic7zHr?i#?(odeo;Q%45y@J{)x$31O~9EL`a_2@YQbiK
z{nnw(y<oF#qS+4794*?1>>TvZxTcJ^z~+LLGkY5>4ea1GW$p)?XY<T+c+$0}4%u|{
z-{+YJz~+M`T~`KyEdWcuuFQA9GHjj<hbL2e-bFSO{YQA_dteK}t};6a76ki?J@12M
z**sYePqy|PLN*)y**BE&0oWq29n3xiTMSlzLzy3e<=8wq4o|N397Z-5{k=T%W3UjI
zzf&1Uz?OjJcPjG}u)GN4Rrm{(=kVlf&!@=dqyH4o{0yuB>^8HbV1;0DH<ft|tjOjm
za(I?%&v9gzqQB&(GCl`e23E_g9;_Iwi9KI{Ew_1=J3J-Y(|~LV`i-vj#+P6#`aE6A
zI007L=jl@BS70k`o|O(ynf9DSwye+7eZb8>C9GrJ%Ou_FUVr-MsctX-_z^StUA1#}
r1}*9tMg=|I_|4Vx+aA5&BWaXp7*+K=;Qv6|ZtZcE{Am4sE7tuV>2d*m

-- 
2.39.5