diff options
| author | Dominik Stadler <centic@apache.org> | 2022-01-06 11:10:00 +0000 |
|---|---|---|
| committer | Dominik Stadler <centic@apache.org> | 2022-01-06 11:10:00 +0000 |
| commit | 729d78cda69e489a40f33d8e6c0056c4f4758099 (patch) | |
| tree | eed44e9f952bda2849de1bbfbde3a3f5f70238a9 | |
| parent | 71f063b465244bd954ea39883ced713a49dc1b67 (diff) | |
| download | poi-729d78cda69e489a40f33d8e6c0056c4f4758099.tar.gz poi-729d78cda69e489a40f33d8e6c0056c4f4758099.zip | |
Limit allocated elements in the PlfLfo structure for word documents
Use large allocation-detection here as well,
otherwise some documents can try to allocate too much memory.
git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1896744 13f79535-47bb-0310-9956-ffa450edef68
| -rw-r--r-- | poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlfLfo.java | 8 | ||||
| -rw-r--r-- | poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java | 4 | ||||
| -rw-r--r-- | test-data/document/Fuzzed.doc | bin | 0 -> 335360 bytes | |||
| -rw-r--r-- | test-data/spreadsheet/stress.xls | bin | 51712 -> 38912 bytes |
4 files changed, 9 insertions, 3 deletions
diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlfLfo.java b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlfLfo.java index b92c2d41b2..a9f54d32c9 100644 --- a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlfLfo.java +++ b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlfLfo.java @@ -26,6 +26,7 @@ import java.util.NoSuchElementException; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.apache.poi.hwpf.model.types.LFOAbstractType; +import org.apache.poi.util.IOUtils; import org.apache.poi.util.LittleEndian; import org.apache.poi.util.LittleEndianConsts; @@ -37,10 +38,11 @@ import static org.apache.logging.log4j.util.Unbox.box; * Documentation quoted from Page 424 of 621. [MS-DOC] -- v20110315 Word (.doc) * Binary File Format */ -public class PlfLfo -{ +public class PlfLfo { private static final Logger LOGGER = LogManager.getLogger(PlfLfo.class); + private static final int MAX_NUMBER_OF_LFO = 100_000; + /** * An unsigned integer that specifies the count of elements in both the * rgLfo and rgLfoData arrays. @@ -76,6 +78,8 @@ public class PlfLfo + Integer.MAX_VALUE + " elements" ); } + IOUtils.safelyAllocateCheck(lfoMacLong, MAX_NUMBER_OF_LFO); + this._lfoMac = (int) lfoMacLong; _rgLfo = new LFO[_lfoMac]; _rgLfoData = new LFOData[_lfoMac]; diff --git a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java index fcae380bbf..0df1b84f6b 100644 --- a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java +++ b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java @@ -54,7 +54,9 @@ public class TestWordToConverterSuite "password_tika_binaryrc4.doc", "password_password_cryptoapi.doc", // WORD 2.0 file - "word2.doc" + "word2.doc", + // Corrupt file + "Fuzzed.doc" ); public static Stream<Arguments> files() { diff --git a/test-data/document/Fuzzed.doc b/test-data/document/Fuzzed.doc Binary files differnew file mode 100644 index 0000000000..c8201d8859 --- /dev/null +++ b/test-data/document/Fuzzed.doc diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls Binary files differindex 4a3e253615..bd26bf16d1 100644 --- a/test-data/spreadsheet/stress.xls +++ b/test-data/spreadsheet/stress.xls |