diff options
author | Dominik Stadler <centic@apache.org> | 2023-08-09 05:45:21 +0000 |
---|---|---|
committer | Dominik Stadler <centic@apache.org> | 2023-08-09 05:45:21 +0000 |
commit | 2e8afc0c016cee39f56eb5e88ace66ed7f09c7b5 (patch) | |
tree | 295039bb910a006821e7294c13ff4879c2a1f835 | |
parent | 543d6ad54b498081537d5c1ad5201fcf4606c784 (diff) | |
download | poi-2e8afc0c016cee39f56eb5e88ace66ed7f09c7b5.tar.gz poi-2e8afc0c016cee39f56eb5e88ace66ed7f09c7b5.zip |
Bug 66425: Avoid a StackOverflowException found via oss-fuzz
We try to avoid causing StackOverflow, but it was possible
to trigger one here with a specially crafted input-file.
This puts a limit on the number of nested properties in place
and logs a warning when the StyleSheet is not fully parsed.
Should fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61252
git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1911563 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r-- | poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/StyleSheet.java | 32 | ||||
-rw-r--r-- | poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java | 3 | ||||
-rw-r--r-- | poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java | 3 | ||||
-rw-r--r-- | test-data/document/clusterfuzz-testcase-minimized-POIHWPFFuzzer-4947285593948160.doc | bin | 0 -> 56832 bytes | |||
-rw-r--r-- | test-data/spreadsheet/stress.xls | bin | 62464 -> 62464 bytes |
5 files changed, 30 insertions, 8 deletions
diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/StyleSheet.java b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/StyleSheet.java index 348c23677f..e19332aa56 100644 --- a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/StyleSheet.java +++ b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/StyleSheet.java @@ -20,6 +20,8 @@ package org.apache.poi.hwpf.model; import java.io.IOException; import java.io.OutputStream; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.apache.poi.hwpf.sprm.CharacterSprmUncompressor; import org.apache.poi.hwpf.sprm.ParagraphSprmUncompressor; import org.apache.poi.hwpf.usermodel.CharacterProperties; @@ -39,6 +41,7 @@ import org.apache.poi.util.LittleEndianConsts; */ @Internal public final class StyleSheet { + private static final Logger LOG = LogManager.getLogger(StyleSheet.class); public static final int NIL_STYLE = 4095; // private static final int PAP_TYPE = 1; @@ -46,6 +49,9 @@ public final class StyleSheet { // private static final int SEP_TYPE = 4; // private static final int TAP_TYPE = 5; + private static final int MAX_PAPX_NESTING = 1000; + private static final int MAX_CHPX_NESTING = 1000; + @Deprecated private static final ParagraphProperties NIL_PAP = new ParagraphProperties(); @Deprecated @@ -114,8 +120,8 @@ public final class StyleSheet { } for (int x = 0; x < _styleDescriptions.length; x++) { if (_styleDescriptions[x] != null) { - createPap(x); - createChp(x); + createPap(x, 0); + createChp(x, 0); } } } @@ -203,7 +209,14 @@ public final class StyleSheet { * ParagraphProperties from (and also place the finished PAP in) */ @Deprecated - private void createPap(int istd) { + private void createPap(int istd, int nesting) { + if (nesting > MAX_PAPX_NESTING) { + LOG.warn("Encountered too deep nesting, cannot fully process stylesheet at " + istd + + " with more than " + MAX_PAPX_NESTING + " nested ParagraphProperties." + + " Some data could not be parsed."); + return; + } + StyleDescription sd = _styleDescriptions[istd]; if (sd == null) { throw new IllegalStateException("Cannot create Pap, empty styleDescription, had : " + _styleDescriptions.length + " descriptions"); @@ -227,7 +240,7 @@ public final class StyleSheet { throw new IllegalStateException("Pap style " + istd + " claimed to have itself as its parent, which isn't allowed"); } // Create the parent style - createPap(baseIndex); + createPap(baseIndex, nesting+1); parentPAP = styleDescription.getPAP(); } @@ -253,7 +266,14 @@ public final class StyleSheet { * CharacterProperties object from. */ @Deprecated - private void createChp(int istd) { + private void createChp(int istd, int nesting) { + if (nesting > MAX_CHPX_NESTING) { + LOG.warn("Encountered too deep nesting, cannot fully process stylesheet at " + istd + + " with more than " + MAX_CHPX_NESTING + " nested CharacterProperties." + + " Some data could not be parsed."); + return; + } + StyleDescription sd = _styleDescriptions[istd]; if (sd == null) { throw new IllegalStateException("Cannot create Chp, empty styleDescription, had : " + _styleDescriptions.length + " descriptions"); @@ -282,7 +302,7 @@ public final class StyleSheet { parentCHP = styleDescription.getCHP(); if (parentCHP == null) { - createChp(baseIndex); + createChp(baseIndex, nesting + 1); parentCHP = styleDescription.getCHP(); } if (parentCHP == null) { diff --git a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java index 9f97d63309..cafc6c3dfa 100644 --- a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java +++ b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java @@ -58,7 +58,8 @@ public class TestWordToConverterSuite // Corrupt files "Fuzzed.doc", "clusterfuzz-testcase-minimized-POIHWPFFuzzer-5418937293340672.doc", - "TestHPSFWritingFunctionality.doc" + "TestHPSFWritingFunctionality.doc", + "clusterfuzz-testcase-minimized-POIHWPFFuzzer-4947285593948160.doc" ); public static Stream<Arguments> files() { diff --git a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java index 0d084157c9..4bb810735f 100644 --- a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java +++ b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java @@ -50,7 +50,8 @@ public class TestWordToTextConverter { "TestRobert_Flaherty.doc", // Corrupt files "clusterfuzz-testcase-minimized-POIHWPFFuzzer-5418937293340672.doc", - "TestHPSFWritingFunctionality.doc" + "TestHPSFWritingFunctionality.doc", + "clusterfuzz-testcase-minimized-POIHWPFFuzzer-4947285593948160.doc" ); /** diff --git a/test-data/document/clusterfuzz-testcase-minimized-POIHWPFFuzzer-4947285593948160.doc b/test-data/document/clusterfuzz-testcase-minimized-POIHWPFFuzzer-4947285593948160.doc Binary files differnew file mode 100644 index 0000000000..ce753c01b2 --- /dev/null +++ b/test-data/document/clusterfuzz-testcase-minimized-POIHWPFFuzzer-4947285593948160.doc diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls Binary files differindex cf344f0b84..b9ac3702aa 100644 --- a/test-data/spreadsheet/stress.xls +++ b/test-data/spreadsheet/stress.xls |