Browse Source
[bug-65899] fix issue where malformed tnef file can cause memory problems
git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1898208 13f79535-47bb-0310-9956-ffa450edef68tags/REL_5_2_1
PJ Fanning
2 years ago
3 changed files with 22 additions and 3 deletions
+ 9
- 3
poi-scratchpad/src/main/java/org/apache/poi/hmef/attribute/MAPIAttribute.java
View File
| MAPIProperty prop = MAPIProperty.get(id); | MAPIProperty prop = MAPIProperty.get(id); | ||||
| if(id >= 0x8000 && id <= 0xFFFF) { | if(id >= 0x8000 && id <= 0xFFFF) { | ||||
| byte[] guid = new byte[16]; | byte[] guid = new byte[16]; | ||||
| IOUtils.readFully(inp, guid); | |||||
| if (IOUtils.readFully(inp, guid) < 0) { | |||||
| throw new IOException("Not enough data to read guid"); | |||||
| } | |||||
| int mptype = LittleEndian.readInt(inp); | int mptype = LittleEndian.readInt(inp); | ||||
| // Get the name of it | // Get the name of it | ||||
| // Custom name was stored | // Custom name was stored | ||||
| int mplen = LittleEndian.readInt(inp); | int mplen = LittleEndian.readInt(inp); | ||||
| byte[] mpdata = IOUtils.safelyAllocate(mplen, MAX_RECORD_LENGTH); | byte[] mpdata = IOUtils.safelyAllocate(mplen, MAX_RECORD_LENGTH); | ||||
| IOUtils.readFully(inp, mpdata); | |||||
| if (IOUtils.readFully(inp, mpdata) < 0) { | |||||
| throw new IOException("Not enough data to read " + mplen + " bytes for attribute name"); | |||||
| } | |||||
| name = StringUtil.getFromUnicodeLE(mpdata, 0, (mplen/2)-1); | name = StringUtil.getFromUnicodeLE(mpdata, 0, (mplen/2)-1); | ||||
| skipToBoundary(mplen, inp); | skipToBoundary(mplen, inp); | ||||
| } | } | ||||
| for(int j=0; j<values; j++) { | for(int j=0; j<values; j++) { | ||||
| int len = getLength(type, inp); | int len = getLength(type, inp); | ||||
| byte[] data = IOUtils.safelyAllocate(len, MAX_RECORD_LENGTH); | byte[] data = IOUtils.safelyAllocate(len, MAX_RECORD_LENGTH); | ||||
| IOUtils.readFully(inp, data); | |||||
| if (IOUtils.readFully(inp, data) < 0) { | |||||
| throw new IOException("Not enough data to read " + len + " bytes of attribute value"); | |||||
| } | |||||
| skipToBoundary(len, inp); | skipToBoundary(len, inp); | ||||
| // Create | // Create |
+ 13
- 0
poi-scratchpad/src/test/java/org/apache/poi/hmef/attribute/TestTNEFAttributes.java
View File
| import static org.junit.jupiter.api.Assertions.assertEquals; | import static org.junit.jupiter.api.Assertions.assertEquals; | ||||
| import static org.junit.jupiter.api.Assertions.assertNotNull; | import static org.junit.jupiter.api.Assertions.assertNotNull; | ||||
| import static org.junit.jupiter.api.Assertions.assertTrue; | |||||
| import java.io.ByteArrayInputStream; | import java.io.ByteArrayInputStream; | ||||
| import java.io.IOException; | |||||
| import java.io.InputStream; | import java.io.InputStream; | ||||
| import java.nio.charset.StandardCharsets; | import java.nio.charset.StandardCharsets; | ||||
| import java.text.DateFormat; | import java.text.DateFormat; | ||||
| } | } | ||||
| } | } | ||||
| /** | |||||
| * Test malformed TNEF is detected by MAPIAttribute and does not cause Out Of Memory error | |||||
| */ | |||||
| @Test | |||||
| void testMalformedTNEF() throws Exception { | |||||
| try (InputStream is = _samples.openResourceAsStream("oom.tnef")) { | |||||
| quick = new HMEFMessage(is); | |||||
| } catch (Exception e) { | |||||
| assertTrue(e instanceof IOException); | |||||
| } | |||||
| } | |||||
| /** | /** | ||||
| * Test counts | * Test counts | ||||
| */ | */ |
BIN
test-data/hmef/oom.tnef
View File
Loading…