From df3910135fd9c442b4e746e4b156362fd2e8d755 Mon Sep 17 00:00:00 2001
From: Tim Allison <tallison@apache.org>
Date: Tue, 25 Jul 2017 01:38:35 +0000
Subject: [PATCH] 61295 -- prevent potential oom in HPSF triggered by fuzzed
 file

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1802879 13f79535-47bb-0310-9956-ffa450edef68
---
 src/java/org/apache/poi/hpsf/Vector.java | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/java/org/apache/poi/hpsf/Vector.java b/src/java/org/apache/poi/hpsf/Vector.java
index 31c1cba112..80c8565631 100644
--- a/src/java/org/apache/poi/hpsf/Vector.java
+++ b/src/java/org/apache/poi/hpsf/Vector.java
@@ -16,6 +16,9 @@
 ==================================================================== */
 package org.apache.poi.hpsf;
 
+import java.util.ArrayList;
+import java.util.List;
+
 import org.apache.poi.util.Internal;
 import org.apache.poi.util.LittleEndianByteArrayInputStream;
 
@@ -40,8 +43,11 @@ class Vector {
         }
         final int length = (int) longLength;
 
-        _values = new TypedPropertyValue[length];
-
+        //BUG-61295 -- avoid OOM on corrupt file.  Build list instead
+        //of allocating array of length "length".
+        //If the length is corrupted and crazily big but < Integer.MAX_VALUE,
+        //this will trigger a RuntimeException "Buffer overrun" in lei.checkPosition
+        List<TypedPropertyValue> values = new ArrayList<TypedPropertyValue>();
         int paddedType = (_type == Variant.VT_VARIANT) ? 0 : _type;
         for ( int i = 0; i < length; i++ ) {
             TypedPropertyValue value = new TypedPropertyValue(paddedType, null);
@@ -50,8 +56,9 @@ class Vector {
             } else {
                 value.readValue(lei);
             }
-            _values[i] = value;
+            values.add(value);
         }
+        _values = values.toArray(new TypedPropertyValue[values.size()]);
     }
 
     TypedPropertyValue[] getValues(){
-- 
2.39.5