From 860892e68dc972922d589634c44bf2d54bb4ace2 Mon Sep 17 00:00:00 2001 From: Andreas Beeker Date: Mon, 13 Oct 2014 23:42:33 +0000 Subject: [PATCH] Bug 57080 - IndexOutOfBoundsException in poi decryptor git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1631600 13f79535-47bb-0310-9956-ffa450edef68 --- .../crypt/standard/StandardDecryptor.java | 10 ++++++- .../apache/poi/poifs/crypt/TestDecryptor.java | 25 ++++++++++++++++++ test-data/poifs/extenxls_pwd123.xlsx | Bin 0 -> 10240 bytes 3 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 test-data/poifs/extenxls_pwd123.xlsx diff --git a/src/java/org/apache/poi/poifs/crypt/standard/StandardDecryptor.java b/src/java/org/apache/poi/poifs/crypt/standard/StandardDecryptor.java index a3bef188a6..86e31fb7a2 100644 --- a/src/java/org/apache/poi/poifs/crypt/standard/StandardDecryptor.java +++ b/src/java/org/apache/poi/poifs/crypt/standard/StandardDecryptor.java @@ -139,7 +139,15 @@ public class StandardDecryptor extends Decryptor { _length = dis.readLong(); - return new BoundedInputStream(new CipherInputStream(dis, getCipher(getSecretKey())), _length); + // limit wrong calculated ole entries - (bug #57080) + // standard encryption always uses aes encoding, so blockSize is always 16 + // http://stackoverflow.com/questions/3283787/size-of-data-after-aes-encryption + int blockSize = info.getHeader().getCipherAlgorithm().blockSize; + long cipherLen = (_length/blockSize + 1) * blockSize; + Cipher cipher = getCipher(getSecretKey()); + + InputStream boundedDis = new BoundedInputStream(dis, cipherLen); + return new BoundedInputStream(new CipherInputStream(boundedDis, cipher), _length); } public long getLength(){ diff --git a/src/ooxml/testcases/org/apache/poi/poifs/crypt/TestDecryptor.java b/src/ooxml/testcases/org/apache/poi/poifs/crypt/TestDecryptor.java index 48bc7a15a3..d0f2c67f51 100644 --- a/src/ooxml/testcases/org/apache/poi/poifs/crypt/TestDecryptor.java +++ b/src/ooxml/testcases/org/apache/poi/poifs/crypt/TestDecryptor.java @@ -20,6 +20,8 @@ import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertTrue; import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.File; import java.io.IOException; import java.io.InputStream; import java.security.GeneralSecurityException; @@ -27,7 +29,9 @@ import java.util.zip.ZipEntry; import java.util.zip.ZipInputStream; import org.apache.poi.POIDataSamples; +import org.apache.poi.poifs.filesystem.NPOIFSFileSystem; import org.apache.poi.poifs.filesystem.POIFSFileSystem; +import org.apache.poi.util.IOUtils; import org.junit.Test; /** @@ -122,4 +126,25 @@ public class TestDecryptor { } } + @Test + public void bug57080() throws Exception { + // the test file contains a wrong ole entry size, produced by extenxls + // the fix limits the available size and tries to read all entries + File f = POIDataSamples.getPOIFSInstance().getFile("extenxls_pwd123.xlsx"); + NPOIFSFileSystem fs = new NPOIFSFileSystem(f, true); + EncryptionInfo info = new EncryptionInfo(fs); + Decryptor d = Decryptor.getInstance(info); + d.verifyPassword("pwd123"); + ByteArrayOutputStream bos = new ByteArrayOutputStream(); + ZipInputStream zis = new ZipInputStream(d.getDataStream(fs)); + ZipEntry ze; + while ((ze = zis.getNextEntry()) != null) { + bos.reset(); + IOUtils.copy(zis, bos); + assertEquals(ze.getSize(), bos.size()); + } + + zis.close(); + fs.close(); + } } \ No newline at end of file diff --git a/test-data/poifs/extenxls_pwd123.xlsx b/test-data/poifs/extenxls_pwd123.xlsx new file mode 100644 index 0000000000000000000000000000000000000000..a6ae896f91b8dafbd178807bef00c78b5c7ae5a7 GIT binary patch literal 10240 zcmeHtWmJ{h*6;@DMmnTJP`af%1SFO2l9rV2ZlqfT>6Vi2kVZgKx;r)v@3TF}ciel9 z<2~oz@7EpQotyd0wdOO|tQB())*czgTzp?axCHtG2!I}d?(PvmaR0!E0@~<5`xqb) z8qkLD?(XmJA?$|$0?q%ze^3TG@E|h>0%fjyXU;-1B5|fQwBe)D9=99N`RJqW(cRaj z_~I@JF16Vs_!NGZfQOpr*? z&HvVXv!j_pX(jrOgYCK3>)l>=Fl#=8=UpXO>-LG0pI_^pLTAKi?n+-fQ372-7xU51 zATI(;p7oPR701PHmxD}?p`;3YIp@4#pWqZzQ`aQ>F*tf6!M8D}nZm@4G3`bYi^A{T zJ1Jb{Ogm*%T$Y_UFb+`2V+N(!W^*|sfo~M$^3I|0+?#QA;Hkwbv;_FUtV&js9jeu=n!{OrEzwy59NxJva6EwA6`6ge>qCRYb^C2+D=^~YL zu#glisK`I*ty(wjq0}f(5QbPWPw82ddp}dL!#=C1m`|Mnnh-uaTUw0#7QXEnq1c2~ z@0gk0JwWY-rI%P&i!G`DOneVYcXf;2mmTlG?W_&atwY`VbEG`e)vO7PU{V5IrRzFI z6?5KH^M*KY0Pc(a>^=!$rX-2c^o@7Z@n`2l2F1om!CFF9B7+`Vm$#Fj2xlMUpX8yl zs5!V!$GxkhRo*>*Zn2!d6W-lDt26p|xO69X&jYu+#@T2p^Ky)%Ni2*qORais(sDLi$#bx->m^GrzFoU_*Ddo6<~v+yK#vI0g= zPfy7AHRtAR7XQh^Ah+gv!w;_#*Mbi36ppZcZ)P&fC6zUE#3vc{1nD^=LNH&0S87x5 z=$l5jSz2F6FAzSrg9?9@uJb%Gh!G(RQ9vDW0U1hIdj5Np&T2>1q;~p==|!_ym&|C! zC)Y?OXdy7#(tbv+z?;G2g0v&kS0aJ2BJPIrn5KK`YwFmR+>8UvhACGsiVdX4++U-H zH?0bB2g0taE?t-6rZu09rgHB@8LvVw=T&2Qs+a_mNsFu4sw5w}J7&Md6kJsONOsJe zP{u6=z48)H{|&fp5_jsZsrrxmpOm~wjiH00*V#lzdcRLea6e_(h8#V}$G|MWh;wC+ zXy&k$Y_Lr8ReK&Z-hJA2E6q3aVmXYFFRuLpUx@CKB)@iLX7^AK%M9%6(v&Qz=*)JT z!I8^mGaTHk;LT319W7|~el|xed^cr=1!qhjnw5&Oi&u@caOYs8FT=wsUyy-7>QVdk zTTN?Nuqci|K~DVwm8kY|9Gl%?;fT5prU6Rw_lrX4D!SXaY$D2<5f2rCXvx$DM^NuT zL4E*F+>Y3c>6EUev07m}*i&F7>Ej%x;enrPFkH+fHrzPQG*R<}@HC92f#B)_s}_e> z&tU7!Ti>hPLQR(-nuzTt`%k|6-Psq)b%-x4Yo8xGJSc9k!gFyoj9#PRknwrf)``d? zm)7)jL1zGIB&@k(<`uk9Y%;!^tA^L|`=<3F4~5u6&MhexaYm@)eq&BY&84{Lk-i*D z-a(Y<{Omz%m1J>of3AW@zNC4$Qn$v%xT0_88$H7hwb<@J9n4-GVe`xg$u^_rkJ_YBjv-N$x`2qFcip2ZnGv5}RcY;V?l~6b+}NGdS0k!V!gPcbi+B z@E$`mgQ=t{(`Yk!{*xo&N=m6(K4QB2mjqpuQMUBw(!5gjTQ^py{1Mi!vXO?yO<9>r z7MO3Nwp_Mf>~vwgT-1$vnRHetNi%>lh4eXA5!PakJiGc5CDHQM+yUA2Vi1 z=YEW>rdxTf#8xK!@a;r9>>mGQeK7wCTw}lr-%-G~qI z_c?nuf&__Nh9zZ!!9KqGxEyEO6G&H<{Z}vitDvEUgf95A(6M<2c@q#UxL~E0_P*=c z1bH0LD3MqjWY$vOH&sazu6>W#nxv<+Y#)uQ1!vn8zxCe&rMkz@;( z(LBmW+df();`P1G1_GH=VYZKh-`H7K;@eYlWluKTV5lJ2@kSB1lx=PH5JI=hH0sO0 z9*IFWp%=B~IptFgilE#mconFVs)nZU#qbnw1wPvNq5V|qq`$!@u5fpApEuUQ7%01* z#dtE>p!@-Yd~&QMYB%AB69$3UcMCRcAp|ck)Kg!V-Qn1xN7V8xljue5XF7i`R3;J* zV9;>Kabecg)lv+27Os)N9vhmxp?$-I4YqsyBwtzcs}btP(r(cF8=9=dR*U927{b>l z8B)8C(6#f=xE2G{UPuLWQ;=SuMDuOd_ltD(p`Y@%Ascl2O%NJMT$MH2On>5C-z%~$ ze$Wg5ElDi*rP@*rzpOJB4x*-(3|JZ+0gQSauew}O*C6CrO4lZb#I|r)q|tfYfse@X zq3cFp|2b}7LcqPo*b>!B|29~BS5W|S$(@aL4>}bE+v{u~j!iiSJ_$Rq&r4w=a%|yc z2X`t>xIRPvk=G58HpweXtSp=s62|e1O7nv(3(^$pI9;6kzEa9&O(RC7=N(GN&tnE> z$BP_LjNMl#IHLsZB*6@UZa%~zR8r$EmF5E-s2%t3LXb9iT4&pF6bqL***#1j-`P$= ziM3{Gha<3g>jVeRE-`Pra`9p*DEfJK#qz6{7Eu<+`?^-f?9JbZzzJuW=Zpz2JwZ z@fR{ooMQBh@QL*+{@%l~L)7s1KU*04UwZburC^yNH5k6_dUq7v=j=o;zeYhGMcT0d#mzNp_=G40K8=2K|SE=U?<`zf_w&K)Gg*-mUcg zGP>qUPrbLBA+~u7{cS$#^25M%dE<=W)yvZ)K90{Bd!9Sg;S3 zN$G1GUrX@dn(sC88eQ#XVZC2X0 zA3kx7A07uGCw>m&hp;jAtf$W?^pkF+)bv~}S)UBteLZGb4E=cU?u3$eaBSunc{5mb z)ra23y8tfh$duxKE#8W$s?{dctM`O5mniR9EKZqX){_Xnn0)S)%};?%!NS`&sU9#KErf-W?8|Jbp5*C{z5n z^eQ+AWQ_ea8-)|DQlhG(!1mm|3a4Sr$rrO7Vc;?+%c)9tu*W^;!xv%?M{F#7Jgt?m zu*UuVaE6r=G#JME*2K8_rsLKYFkvZzcFeizUNlQujfWvw>a*nCW(ji6iLL2iJf^q` zJP9s^6e6TFlUuH|0Yl-y$OlilnQe`#EUWfL7@1b~7u?i_xJ7rc-JDjNMaJ5p4!Osz z7)pA2w>{j|2a_G~5zR%k1+50^vO^=TnLVUHk61EBlc4+@E}!QUrjj5mQ88qL($`KE z(LVR-z@$B_$xCx7)7~^Dp*pi%?!bR@A-PZ2vw<@&xjWYuY_2q*iL|9+ME;C^NtS|V zHjk3fV>)(?YK7<08f~Oa!`Q=p%pkJ5a66#a+m7F=;7KjVoOobqV>D9ARE}XkMj3X9 zV3lf1_<@2uu7qD`!to3=Gl!^Dn9X~5>BW(K?wi7_AjwB>Ab1Xe2zSY`FZIua9#N-{BLPq&@QF zJM}L0DiR!wHRk5+(!SQH+pHTFs!@!eKq#qa?oy1#<~zQ2OI*UT>}j%1&=quCV8px} z;u#lIzIt4|^RlV>whjTyIF#417fEGhjr>OvvS%7JV(X5h=UmQ7(pShi7MA)Exwv0L ziRhCH+nub1obLN&zJU_TS8HE$3F4;O+o$iDYwB>HqAKtfEj?n2UCAO^g~xmd?^ox< z!+b5^7dNwv;FmM2rk#?SwZPlEzU@4GE+qD4X=lhYUPWPob=)uVT)!VlMIw6;+i8%E zp^-PVDJ&6>=*7Mm;m2J!JYtoeHQQLmUXMUb3kGK4)3QXTsW)*VNsTsoomX?z*=ltc zDaHo731=O|Qe_W$<6$GJLW_LOsx)%>gV^#w({rhEx2{Q1F4f+-At(ZzBv?T_#16#- z@|}7+ogwi0LwF(|6U~bD6PV;KyKVK$UX0%eC=msj66o3IFJHvHFVUBW*VyscnbDJ+ z*sOADOfT<46w-ul@5E{+W}#!_o^ZOi<#25=ZdcmPE0L=IYHGjA4b?;mjym4QsQ)+rwAxWLAfjrx)?*$Hy(q4QO%I2}kL z)(X2`Wzcuez{0y>dM=4)%4S95}f0ZCAs_4^iq^DvWUZyCXGVFOm zgEr4sP+4s{P=F1$g`RZamQyRC)-pMNLO`pU|M8?1hmDvh`c=OzIurvZIa6&SWtrK| zTaklG=Xdt_^%KnTcBY2deIfDGuFr$gH&%9^I}n{Aus<(elFQewie6P6Ee)@|NTjy; zg6%Qms9OJuekSiZgXCSQ53KQgW*qY)V_A@q8NX6F!`8BoJ%uXI#S4bAvT=;pu<0e= z2l)dql0Fc2=Pwb|qd~QxrdjCME11FGS)GP{h%yvs>oxAi)|dB?3WRs+zCwQtPC8yH(e$4lms8LP^oOi-piK0i4cMUE2gP_=H^h-DH&LCkc>FXXK#r)va}$@ zzK0p5%|X5P9dLA&PZDC#l8l_8da=mNdQ|q-1{Wabp?*kE3&S4%`lh3Xv2MX)SyWxluQT=r)m>(jOY=suq6W=aqvq|g)k=zD0DFDxSqkL`P# zi*k1b#?>J4=$(m``f(GoZZ{$3vG|J$4IPZrv6lYl@%{p+kC^*##=6z%OnH;K4AT43?h#;pZ@@z+#!@nD~p!U&>;ai+Xc%qL%@@QSn1KLkd z+oUEYt;5gjbKOt`Q;4s36!!O`CoCE5K(PQRleDLf^QLLd(hp zx;#%5@kQW24M(}JA6yqb-`bJGmm+#ma@5O_U0l09|Cy8&n=_HhLmSIPiKR?I#7?Y= zRUqW*)(JO8PZ9=PyFKO=SgBhjD7XN-sY=R1_u{+FB-$9)xp8(?><5Vo3kN#BO=aW_ z#ZkUb{BKU}8TWD);qP5;FOH_)M>N09z$h)Q58A;AFo>=*^!4}-W5d#>f$W;1I(25% zx1=5;$ghA30no=<@?wGE<6OCgu$ zSq8(>k~$Cy-V0Q8+@s(r#(&oKClu*J3#(BoAvpO8auO7*j6oL()<5h=z(rzS_OJ9pWe7Jo8f? z&RJ_=HNRw?dp}2UFt>KM#@SSFz` zGp~70WCyRr0}`1&e|Hvs_VLOrDRIm{uE)RX|Mp*h5OB)_4Wa@%IRHW^1kg-CAQ*2D z2>1ix1Nal#9A&_B{U7n#|G58x z0(3y|-vI<*5M->`?-Zhg3_wU;A-Vo7W01@${IF>OJWTh=|d0+Xd?rN@;mQ8=z8I9(nkSU{>K#mmHf~5`6R!!;C@+EeoFl{ z#RpEbpY|bp_gBCiIrSs&WYTj#=+ED4KxAM3sBQK@m4noge;qJ@{QtBMp?^mMiL(LdM8e>wjDU4Mwb3LfD7jQdyX@2}$jvw#0=g#GvY zL*^b*r+x+hmwmV&-!oqW-(~dw<+BfB>*2qVe@LE2e&y)D$%DlH6aJ2he_Vh6SpOmW r2y%u%_6KAwL)Hnz*PrztG7c5!Lns6x-^DS1@8AA(;J@@gDg*xm