mirrors
/
poi
mirror of https://github.com/apache/poi.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 100 Wiki Activity
Browse Source

Prevent an overly large allocation when using HPSF 

Add a sample document from fuzzing which contains invalid/oversized values

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1899749 13f79535-47bb-0310-9956-ffa450edef68
tags/REL_5_2_3
Dominik Stadler 2 years ago
parent
0ac26e7b1d
commit
f8e27ee19b
4 changed files with 11 additions and 5 deletions
Split View Show Diff Stats
  1. 9
    5
      poi/src/main/java/org/apache/poi/hpsf/Array.java
  2. 2
    0
      poi/src/test/java/org/apache/poi/hssf/dev/TestBiffViewer.java
  3. BIN
      test-data/spreadsheet/poi-fuzz.xls
  4. BIN
      test-data/spreadsheet/stress.xls

+ 9
- 5
poi/src/main/java/org/apache/poi/hpsf/Array.java View File

@@ -16,12 +16,15 @@
==================================================================== */
package org.apache.poi.hpsf;

import org.apache.poi.util.IOUtils;
import org.apache.poi.util.Internal;
import org.apache.poi.util.LittleEndianByteArrayInputStream;

@Internal
public class Array
{
public class Array {

private static final int MAX_NUMBER_OF_ARRAY_SCALARS = 100_000;

static class ArrayDimension {
private long _size;
@SuppressWarnings("unused")
@@ -33,8 +36,7 @@ public class Array
}
}

static class ArrayHeader
{
static class ArrayHeader {
private ArrayDimension[] _dimensions;
private int _type;

@@ -47,7 +49,7 @@ public class Array
String msg = "Array dimension number "+numDimensionsUnsigned+" is not in [1; 31] range";
throw new IllegalPropertySetDataException(msg);
}
int numDimensions = (int) numDimensionsUnsigned;

_dimensions = new ArrayDimension[numDimensions];
@@ -86,6 +88,8 @@ public class Array
}
int numberOfScalars = (int) numberOfScalarsLong;

IOUtils.safelyAllocateCheck(numberOfScalars, MAX_NUMBER_OF_ARRAY_SCALARS);

_values = new TypedPropertyValue[numberOfScalars];
int paddedType = (_header._type == Variant.VT_VARIANT) ? 0 : _header._type;
for ( int i = 0; i < numberOfScalars; i++ ) {

+ 2
- 0
poi/src/test/java/org/apache/poi/hssf/dev/TestBiffViewer.java View File

@@ -40,6 +40,8 @@ class TestBiffViewer extends BaseTestIteratingXLS {
excludes.put("XRefCalc.xls", RuntimeException.class);

excludes.put("61300.xls", IndexOutOfBoundsException.class);
excludes.put("poi-fuzz.xls", RecordFormatException.class);

return excludes;
}


BIN
test-data/spreadsheet/poi-fuzz.xls View File


BIN
test-data/spreadsheet/stress.xls View File


Write Preview
Loading…
Cancel
Save