summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDominik Stadler <centic@apache.org>2023-10-07 22:12:25 +0000
committerDominik Stadler <centic@apache.org>2023-10-07 22:12:25 +0000
commit6fae5bbc185301057913a800f14202be8d630cf2 (patch)
tree38f796f7f630bc6b89ecae138e6999d0e20f4be7
parentc331c5d26a45a7c5bc1d8cc9030b939ead644f08 (diff)
downloadpoi-6fae5bbc185301057913a800f14202be8d630cf2.tar.gz
poi-6fae5bbc185301057913a800f14202be8d630cf2.zip
Bug 66425: Avoid Exceptions found via oss-fuzz
We try to avoid throwing NullPointerExceptions or endless allocations, but it was possible to trigger one here with a specially crafted input-file Should fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62697 git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1912793 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r--poi/src/main/java/org/apache/poi/hssf/record/SSTDeserializer.java4
-rw-r--r--poi/src/main/java/org/apache/poi/poifs/filesystem/DocumentInputStream.java3
-rw-r--r--poi/src/test/java/org/apache/poi/hssf/dev/BaseTestIteratingXLS.java1
-rw-r--r--poi/src/test/java/org/apache/poi/hssf/record/TestSSTDeserializer.java4
-rw-r--r--test-data/spreadsheet/clusterfuzz-testcase-minimized-POIHSSFFuzzer-4819588401201152.xlsbin0 -> 3182 bytes
-rw-r--r--test-data/spreadsheet/stress.xlsbin56320 -> 56832 bytes
6 files changed, 9 insertions, 3 deletions
diff --git a/poi/src/main/java/org/apache/poi/hssf/record/SSTDeserializer.java b/poi/src/main/java/org/apache/poi/hssf/record/SSTDeserializer.java
index d840078c73..16786e6dae 100644
--- a/poi/src/main/java/org/apache/poi/hssf/record/SSTDeserializer.java
+++ b/poi/src/main/java/org/apache/poi/hssf/record/SSTDeserializer.java
@@ -48,7 +48,9 @@ class SSTDeserializer {
UnicodeString str;
if (in.available() == 0 && (!in.hasNextRecord() || in.getNextSid() != ContinueRecord.sid)) {
LOG.atError().log("Ran out of data before creating all the strings! String at index {}", box(i));
- str = new UnicodeString("");
+
+ // not much sense in trying to continue reading in this case, file seems to be broken
+ return;
} else {
str = new UnicodeString(in);
}
diff --git a/poi/src/main/java/org/apache/poi/poifs/filesystem/DocumentInputStream.java b/poi/src/main/java/org/apache/poi/poifs/filesystem/DocumentInputStream.java
index a4e76fab89..92021f2f26 100644
--- a/poi/src/main/java/org/apache/poi/poifs/filesystem/DocumentInputStream.java
+++ b/poi/src/main/java/org/apache/poi/poifs/filesystem/DocumentInputStream.java
@@ -169,7 +169,8 @@ public final class DocumentInputStream extends InputStream implements LittleEndi
throw new IllegalArgumentException("buffer must not be null");
}
if (off < 0 || len < 0 || b.length < off + len) {
- throw new IndexOutOfBoundsException("can't read past buffer boundaries");
+ throw new IndexOutOfBoundsException("can't read past buffer boundaries with off: " + off +
+ ", len: " + len + ", b.length: " + b.length);
}
if (len == 0) {
return 0;
diff --git a/poi/src/test/java/org/apache/poi/hssf/dev/BaseTestIteratingXLS.java b/poi/src/test/java/org/apache/poi/hssf/dev/BaseTestIteratingXLS.java
index 26627b5a9b..6e18940a72 100644
--- a/poi/src/test/java/org/apache/poi/hssf/dev/BaseTestIteratingXLS.java
+++ b/poi/src/test/java/org/apache/poi/hssf/dev/BaseTestIteratingXLS.java
@@ -88,6 +88,7 @@ public abstract class BaseTestIteratingXLS {
excludes.put("64130.xls", OldExcelFormatException.class);
// fuzzed binaries
excludes.put("clusterfuzz-testcase-minimized-POIHSSFFuzzer-6322470200934400.xls", RuntimeException.class);
+ excludes.put("clusterfuzz-testcase-minimized-POIHSSFFuzzer-4819588401201152.xls", RuntimeException.class);
return excludes;
}
diff --git a/poi/src/test/java/org/apache/poi/hssf/record/TestSSTDeserializer.java b/poi/src/test/java/org/apache/poi/hssf/record/TestSSTDeserializer.java
index c627bbfc55..3dcdf87a27 100644
--- a/poi/src/test/java/org/apache/poi/hssf/record/TestSSTDeserializer.java
+++ b/poi/src/test/java/org/apache/poi/hssf/record/TestSSTDeserializer.java
@@ -18,6 +18,7 @@
package org.apache.poi.hssf.record;
import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
import java.io.IOException;
import java.io.InputStream;
@@ -137,6 +138,7 @@ final class TestSSTDeserializer {
deserializer.manufactureStrings(2, in);
assertEquals("At a dinner party or", strings.get(0) + "");
- assertEquals("", strings.get(1) + "");
+ assertThrows(IndexOutOfBoundsException.class,
+ () -> strings.get(1));
}
}
diff --git a/test-data/spreadsheet/clusterfuzz-testcase-minimized-POIHSSFFuzzer-4819588401201152.xls b/test-data/spreadsheet/clusterfuzz-testcase-minimized-POIHSSFFuzzer-4819588401201152.xls
new file mode 100644
index 0000000000..524001f77e
--- /dev/null
+++ b/test-data/spreadsheet/clusterfuzz-testcase-minimized-POIHSSFFuzzer-4819588401201152.xls
Binary files differ
diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls
index 2352603880..d06a4e4d5b 100644
--- a/test-data/spreadsheet/stress.xls
+++ b/test-data/spreadsheet/stress.xls
Binary files differ