aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDominik Stadler <centic@apache.org>2023-08-09 05:45:21 +0000
committerDominik Stadler <centic@apache.org>2023-08-09 05:45:21 +0000
commit2e8afc0c016cee39f56eb5e88ace66ed7f09c7b5 (patch)
tree295039bb910a006821e7294c13ff4879c2a1f835
parent543d6ad54b498081537d5c1ad5201fcf4606c784 (diff)
downloadpoi-2e8afc0c016cee39f56eb5e88ace66ed7f09c7b5.tar.gz
poi-2e8afc0c016cee39f56eb5e88ace66ed7f09c7b5.zip
Bug 66425: Avoid a StackOverflowException found via oss-fuzz
We try to avoid causing StackOverflow, but it was possible to trigger one here with a specially crafted input-file. This puts a limit on the number of nested properties in place and logs a warning when the StyleSheet is not fully parsed. Should fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61252 git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1911563 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r--poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/StyleSheet.java32
-rw-r--r--poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java3
-rw-r--r--poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java3
-rw-r--r--test-data/document/clusterfuzz-testcase-minimized-POIHWPFFuzzer-4947285593948160.docbin0 -> 56832 bytes
-rw-r--r--test-data/spreadsheet/stress.xlsbin62464 -> 62464 bytes
5 files changed, 30 insertions, 8 deletions
diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/StyleSheet.java b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/StyleSheet.java
index 348c23677f..e19332aa56 100644
--- a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/StyleSheet.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/StyleSheet.java
@@ -20,6 +20,8 @@ package org.apache.poi.hwpf.model;
import java.io.IOException;
import java.io.OutputStream;
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
import org.apache.poi.hwpf.sprm.CharacterSprmUncompressor;
import org.apache.poi.hwpf.sprm.ParagraphSprmUncompressor;
import org.apache.poi.hwpf.usermodel.CharacterProperties;
@@ -39,6 +41,7 @@ import org.apache.poi.util.LittleEndianConsts;
*/
@Internal
public final class StyleSheet {
+ private static final Logger LOG = LogManager.getLogger(StyleSheet.class);
public static final int NIL_STYLE = 4095;
// private static final int PAP_TYPE = 1;
@@ -46,6 +49,9 @@ public final class StyleSheet {
// private static final int SEP_TYPE = 4;
// private static final int TAP_TYPE = 5;
+ private static final int MAX_PAPX_NESTING = 1000;
+ private static final int MAX_CHPX_NESTING = 1000;
+
@Deprecated
private static final ParagraphProperties NIL_PAP = new ParagraphProperties();
@Deprecated
@@ -114,8 +120,8 @@ public final class StyleSheet {
}
for (int x = 0; x < _styleDescriptions.length; x++) {
if (_styleDescriptions[x] != null) {
- createPap(x);
- createChp(x);
+ createPap(x, 0);
+ createChp(x, 0);
}
}
}
@@ -203,7 +209,14 @@ public final class StyleSheet {
* ParagraphProperties from (and also place the finished PAP in)
*/
@Deprecated
- private void createPap(int istd) {
+ private void createPap(int istd, int nesting) {
+ if (nesting > MAX_PAPX_NESTING) {
+ LOG.warn("Encountered too deep nesting, cannot fully process stylesheet at " + istd +
+ " with more than " + MAX_PAPX_NESTING + " nested ParagraphProperties." +
+ " Some data could not be parsed.");
+ return;
+ }
+
StyleDescription sd = _styleDescriptions[istd];
if (sd == null) {
throw new IllegalStateException("Cannot create Pap, empty styleDescription, had : " + _styleDescriptions.length + " descriptions");
@@ -227,7 +240,7 @@ public final class StyleSheet {
throw new IllegalStateException("Pap style " + istd + " claimed to have itself as its parent, which isn't allowed");
}
// Create the parent style
- createPap(baseIndex);
+ createPap(baseIndex, nesting+1);
parentPAP = styleDescription.getPAP();
}
@@ -253,7 +266,14 @@ public final class StyleSheet {
* CharacterProperties object from.
*/
@Deprecated
- private void createChp(int istd) {
+ private void createChp(int istd, int nesting) {
+ if (nesting > MAX_CHPX_NESTING) {
+ LOG.warn("Encountered too deep nesting, cannot fully process stylesheet at " + istd +
+ " with more than " + MAX_CHPX_NESTING + " nested CharacterProperties." +
+ " Some data could not be parsed.");
+ return;
+ }
+
StyleDescription sd = _styleDescriptions[istd];
if (sd == null) {
throw new IllegalStateException("Cannot create Chp, empty styleDescription, had : " + _styleDescriptions.length + " descriptions");
@@ -282,7 +302,7 @@ public final class StyleSheet {
parentCHP = styleDescription.getCHP();
if (parentCHP == null) {
- createChp(baseIndex);
+ createChp(baseIndex, nesting + 1);
parentCHP = styleDescription.getCHP();
}
if (parentCHP == null) {
diff --git a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java
index 9f97d63309..cafc6c3dfa 100644
--- a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java
+++ b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java
@@ -58,7 +58,8 @@ public class TestWordToConverterSuite
// Corrupt files
"Fuzzed.doc",
"clusterfuzz-testcase-minimized-POIHWPFFuzzer-5418937293340672.doc",
- "TestHPSFWritingFunctionality.doc"
+ "TestHPSFWritingFunctionality.doc",
+ "clusterfuzz-testcase-minimized-POIHWPFFuzzer-4947285593948160.doc"
);
public static Stream<Arguments> files() {
diff --git a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java
index 0d084157c9..4bb810735f 100644
--- a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java
+++ b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java
@@ -50,7 +50,8 @@ public class TestWordToTextConverter {
"TestRobert_Flaherty.doc",
// Corrupt files
"clusterfuzz-testcase-minimized-POIHWPFFuzzer-5418937293340672.doc",
- "TestHPSFWritingFunctionality.doc"
+ "TestHPSFWritingFunctionality.doc",
+ "clusterfuzz-testcase-minimized-POIHWPFFuzzer-4947285593948160.doc"
);
/**
diff --git a/test-data/document/clusterfuzz-testcase-minimized-POIHWPFFuzzer-4947285593948160.doc b/test-data/document/clusterfuzz-testcase-minimized-POIHWPFFuzzer-4947285593948160.doc
new file mode 100644
index 0000000000..ce753c01b2
--- /dev/null
+++ b/test-data/document/clusterfuzz-testcase-minimized-POIHWPFFuzzer-4947285593948160.doc
Binary files differ
diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls
index cf344f0b84..b9ac3702aa 100644
--- a/test-data/spreadsheet/stress.xls
+++ b/test-data/spreadsheet/stress.xls
Binary files differ