aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDominik Stadler <centic@apache.org>2022-03-20 06:52:51 +0000
committerDominik Stadler <centic@apache.org>2022-03-20 06:52:51 +0000
commitd648c6d652f1d56f05adeb17f3f5891c0202ac57 (patch)
treee1e71618b2150bacf87016709cbd5500969d7052
parent9df7e2d8479c8dfcc365e1766407517c90427d6b (diff)
downloadpoi-d648c6d652f1d56f05adeb17f3f5891c0202ac57.tar.gz
poi-d648c6d652f1d56f05adeb17f3f5891c0202ac57.zip
Fix issues found when fuzzing Apache POI via Jazzer
Throw RecordFormatException instead of NPE or assertion for cases that can be triggered by a malformed document git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1899073 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r--poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShape.java4
-rw-r--r--poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShapeFactory.java7
-rw-r--r--poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowEncrypted.java5
3 files changed, 13 insertions, 3 deletions
diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShape.java b/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShape.java
index 1c6f6c3945..3b69f66a0f 100644
--- a/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShape.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShape.java
@@ -50,6 +50,7 @@ import org.apache.poi.sl.usermodel.PresetColor;
import org.apache.poi.sl.usermodel.Shape;
import org.apache.poi.sl.usermodel.ShapeContainer;
import org.apache.poi.sl.usermodel.ShapeType;
+import org.apache.poi.util.RecordFormatException;
import org.apache.poi.util.Removal;
import org.apache.poi.util.StringUtil;
import org.apache.poi.util.Units;
@@ -167,6 +168,9 @@ public abstract class HSLFShape implements Shape<HSLFShape,HSLFTextParagraph> {
LOG.atWarn().log("EscherSpRecord.FLAG_CHILD is set but EscherChildAnchorRecord was not found");
}
EscherClientAnchorRecord clientRec = getEscherChild(EscherClientAnchorRecord.RECORD_ID);
+ if (clientRec == null) {
+ throw new RecordFormatException("Could not read record 'CLIENT_ANCHOR' with record-id: " + EscherClientAnchorRecord.RECORD_ID);
+ }
x1 = clientRec.getCol1();
y1 = clientRec.getFlag();
x2 = clientRec.getDx1();
diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShapeFactory.java b/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShapeFactory.java
index b13789f843..41692b77fe 100644
--- a/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShapeFactory.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShapeFactory.java
@@ -42,6 +42,7 @@ import org.apache.poi.hslf.record.Record;
import org.apache.poi.hslf.record.RecordTypes;
import org.apache.poi.sl.usermodel.ShapeContainer;
import org.apache.poi.sl.usermodel.ShapeType;
+import org.apache.poi.util.RecordFormatException;
/**
* Create a <code>Shape</code> object depending on its type
@@ -90,9 +91,12 @@ public final class HSLFShapeFactory {
}
public static HSLFShape createSimpleShape(EscherContainerRecord spContainer, ShapeContainer<HSLFShape,HSLFTextParagraph> parent){
- HSLFShape shape = null;
EscherSpRecord spRecord = spContainer.getChildById(EscherSpRecord.RECORD_ID);
+ if (spRecord == null) {
+ throw new RecordFormatException("Could not read EscherSpRecord as child of " + spContainer.getRecordName());
+ }
+ final HSLFShape shape;
ShapeType type = ShapeType.forId(spRecord.getShapeType(), false);
switch (type){
case TEXT_BOX:
@@ -167,5 +171,4 @@ public final class HSLFShapeFactory {
}
return null;
}
-
}
diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowEncrypted.java b/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowEncrypted.java
index 273f9e87ed..1dfeda874f 100644
--- a/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowEncrypted.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowEncrypted.java
@@ -47,6 +47,7 @@ import org.apache.poi.util.Internal;
import org.apache.poi.util.LittleEndian;
import org.apache.poi.util.LittleEndianByteArrayInputStream;
import org.apache.poi.util.LittleEndianByteArrayOutputStream;
+import org.apache.poi.util.RecordFormatException;
/**
* This class provides helper functions for encrypted PowerPoint documents.
@@ -100,7 +101,9 @@ public class HSLFSlideShowEncrypted implements Closeable {
}
org.apache.poi.hslf.record.Record r = recordMap.get(userEditAtomWithEncryption.getPersistPointersOffset());
- assert(r instanceof PersistPtrHolder);
+ if (!(r instanceof PersistPtrHolder)) {
+ throw new RecordFormatException("Encountered an unexpected record-type: " + r);
+ }
PersistPtrHolder ptr = (PersistPtrHolder)r;
Integer encOffset = ptr.getSlideLocationsLookup().get(userEditAtomWithEncryption.getEncryptSessionPersistIdRef());