From fe58c66883a59d11874344ccfaadc47b59ad17ca Mon Sep 17 00:00:00 2001 From: Nick Burch Date: Tue, 25 Jun 2013 15:49:45 +0000 Subject: [PATCH] Sanity check the length, logging and truncating if too long, to avoid a StringIndexOutOfBoundsException (bug #54925) git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1496520 13f79535-47bb-0310-9956-ffa450edef68 --- .../org/apache/poi/hslf/record/StyleTextPropAtom.java | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/scratchpad/src/org/apache/poi/hslf/record/StyleTextPropAtom.java b/src/scratchpad/src/org/apache/poi/hslf/record/StyleTextPropAtom.java index a877da1f24..953b0a25a1 100644 --- a/src/scratchpad/src/org/apache/poi/hslf/record/StyleTextPropAtom.java +++ b/src/scratchpad/src/org/apache/poi/hslf/record/StyleTextPropAtom.java @@ -273,6 +273,7 @@ public final class StyleTextPropAtom extends RecordAtom while(pos < rawContents.length && textHandled < prsize) { // First up, fetch the number of characters this applies to int textLen = LittleEndian.getInt(rawContents,pos); + textLen = checkTextLength(textLen, textHandled, size); textHandled += textLen; pos += 4; @@ -308,6 +309,7 @@ public final class StyleTextPropAtom extends RecordAtom while(pos < rawContents.length && textHandled < chsize) { // First up, fetch the number of characters this applies to int textLen = LittleEndian.getInt(rawContents,pos); + textLen = checkTextLength(textLen, textHandled, size); textHandled += textLen; pos += 4; @@ -345,6 +347,15 @@ public final class StyleTextPropAtom extends RecordAtom initialised = true; } + + private int checkTextLength(int readLength, int handledSoFar, int overallSize) { + if (readLength + handledSoFar > overallSize + 1) { + logger.log(POILogger.WARN, "Style length of " + readLength + " at " + handledSoFar + + " larger than stated size of " + overallSize + ", truncating"); + return overallSize + 1 - handledSoFar; + } + return readLength; + } /** -- 2.39.5