aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDominik Stadler <centic@apache.org>2023-09-08 16:02:13 +0000
committerDominik Stadler <centic@apache.org>2023-09-08 16:02:13 +0000
commit5cb768379d6a26de336117402959d960de5cf91b (patch)
tree9f438e66eda2a2cdf1a129ad3a63db7688848779
parentf90415ef0ed147a70357cb5f60aa11c95fcc6074 (diff)
downloadpoi-5cb768379d6a26de336117402959d960de5cf91b.tar.gz
poi-5cb768379d6a26de336117402959d960de5cf91b.zip
Bug 66425: Avoid a NullPointerException found via oss-fuzz
We try to avoid throwing NullPointerException, but it was possible to trigger one here with a specially crafted input-file Should fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62128 git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1912199 13f79535-47bb-0310-9956-ffa450edef68
-rw-r--r--poi-scratchpad/src/main/java/org/apache/poi/hwpf/sprm/TableSprmUncompressor.java89
-rw-r--r--poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java8
-rw-r--r--poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java3
-rw-r--r--test-data/document/clusterfuzz-testcase-minimized-POIHWPFFuzzer-5050208641482752.docbin0 -> 56805 bytes
-rw-r--r--test-data/spreadsheet/stress.xlsbin50688 -> 51200 bytes
5 files changed, 35 insertions, 65 deletions
diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/sprm/TableSprmUncompressor.java b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/sprm/TableSprmUncompressor.java
index 267f6b6875..e227403227 100644
--- a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/sprm/TableSprmUncompressor.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/sprm/TableSprmUncompressor.java
@@ -30,44 +30,39 @@ public final class TableSprmUncompressor extends SprmUncompressor {
private static final Logger LOG = LogManager.getLogger(TableSprmUncompressor.class);
- public TableSprmUncompressor()
- {
+ public TableSprmUncompressor() {
}
- public static TableProperties uncompressTAP( SprmBuffer sprmBuffer )
- {
+ public static TableProperties uncompressTAP( SprmBuffer sprmBuffer ) {
TableProperties tableProperties;
+ if (sprmBuffer == null) {
+ throw new IllegalArgumentException("Cannot process TableProperties with an empty SprmBuffer");
+ }
+
SprmOperation sprmOperation = sprmBuffer.findSprm( (short) 0xd608 );
- if ( sprmOperation != null )
- {
+ if ( sprmOperation != null ) {
byte[] grpprl = sprmOperation.getGrpprl();
int offset = sprmOperation.getGrpprlOffset();
short itcMac = grpprl[offset];
tableProperties = new TableProperties( itcMac );
- }
- else
- {
+ } else {
LOG.atWarn().log("Some table rows didn't specify number of columns in SPRMs");
tableProperties = new TableProperties( (short) 1 );
}
- for ( SprmIterator iterator = sprmBuffer.iterator(); iterator.hasNext(); )
- {
+ for ( SprmIterator iterator = sprmBuffer.iterator(); iterator.hasNext(); ) {
SprmOperation sprm = iterator.next();
/*
* TAPXs are actually PAPXs so we have to make sure we are only
* trying to uncompress the right type of sprm.
*/
- if ( sprm.getType() == SprmOperation.TYPE_TAP )
- {
- try
- {
+ if ( sprm.getType() == SprmOperation.TYPE_TAP ) {
+ try {
unCompressTAPOperation( tableProperties, sprm );
}
- catch ( ArrayIndexOutOfBoundsException ex )
- {
+ catch ( ArrayIndexOutOfBoundsException ex ) {
LOG.atError().withThrowable(ex).log("Unable to apply {}", sprm);
}
}
@@ -82,29 +77,23 @@ public final class TableSprmUncompressor extends SprmUncompressor {
* @param newTAP The TableProperties object to perform the operation on.
* @param sprm The operation to perform.
*/
- static void unCompressTAPOperation (TableProperties newTAP, SprmOperation sprm)
- {
- switch (sprm.getOperation())
- {
+ static void unCompressTAPOperation (TableProperties newTAP, SprmOperation sprm) {
+ switch (sprm.getOperation()) {
case 0:
newTAP.setJc ((short) sprm.getOperand());
break;
- case 0x01:
- {
+ case 0x01: {
short[] rgdxaCenter = newTAP.getRgdxaCenter ();
short itcMac = newTAP.getItcMac ();
int adjust = sprm.getOperand() - (rgdxaCenter[0] + newTAP.getDxaGapHalf ());
- for (int x = 0; x < itcMac; x++)
- {
+ for (int x = 0; x < itcMac; x++) {
rgdxaCenter[x] += (short) adjust;
}
break;
}
- case 0x02:
- {
+ case 0x02: {
short[] rgdxaCenter = newTAP.getRgdxaCenter ();
- if (rgdxaCenter != null)
- {
+ if (rgdxaCenter != null) {
int adjust = newTAP.getDxaGapHalf () - sprm.getOperand();
rgdxaCenter[0] += (short) adjust;
}
@@ -117,8 +106,7 @@ public final class TableSprmUncompressor extends SprmUncompressor {
case 0x04:
newTAP.setFTableHeader (getFlag (sprm.getOperand()));
break;
- case 0x05:
- {
+ case 0x05: {
byte[] buf = sprm.getGrpprl();
int offset = sprm.getGrpprlOffset();
newTAP.setBrcTop(new BorderCode(buf, offset));
@@ -141,8 +129,7 @@ public final class TableSprmUncompressor extends SprmUncompressor {
case 0x07:
newTAP.setDyaRowHeight (sprm.getOperand());
break;
- case 0x08:
- {
+ case 0x08: {
byte[] grpprl = sprm.getGrpprl();
int offset = sprm.getGrpprlOffset();
short itcMac = grpprl[offset];
@@ -154,8 +141,7 @@ public final class TableSprmUncompressor extends SprmUncompressor {
newTAP.setRgtc (rgtc);
// get the rgdxaCenters
- for (int x = 0; x < itcMac; x++)
- {
+ for (int x = 0; x < itcMac; x++) {
rgdxaCenter[x] = LittleEndian.getShort (grpprl, offset + (1 + (x * 2)));
}
@@ -165,8 +151,7 @@ public final class TableSprmUncompressor extends SprmUncompressor {
boolean hasTCs = startOfTCs < endOfSprm;
- for (int x = 0; x < itcMac; x++)
- {
+ for (int x = 0; x < itcMac; x++) {
// Sometimes, the grpprl does not contain data at every offset. I have no idea why this happens.
if(hasTCs && offset + (1 + ( (itcMac + 1) * 2) + (x * 20)) < grpprl.length)
rgtc[x] = TableCellDescriptor.convertBytesToTC(grpprl,
@@ -193,26 +178,19 @@ public final class TableSprmUncompressor extends SprmUncompressor {
// for (int x = varParam[0]; x < varParam[1]; x++)
// {
//
-// if ((varParam[2] & 0x08) > 0)
-// {
+// if ((varParam[2] & 0x08) > 0) {
// short[] brcRight = rgtc[x].getBrcRight ();
// brcRight[0] = LittleEndian.getShort (varParam, 6);
// brcRight[1] = LittleEndian.getShort (varParam, 8);
-// }
-// else if ((varParam[2] & 0x04) > 0)
-// {
+// } else if ((varParam[2] & 0x04) > 0) {
// short[] brcBottom = rgtc[x].getBrcBottom ();
// brcBottom[0] = LittleEndian.getShort (varParam, 6);
// brcBottom[1] = LittleEndian.getShort (varParam, 8);
-// }
-// else if ((varParam[2] & 0x02) > 0)
-// {
+// } else if ((varParam[2] & 0x02) > 0) {
// short[] brcLeft = rgtc[x].getBrcLeft ();
// brcLeft[0] = LittleEndian.getShort (varParam, 6);
// brcLeft[1] = LittleEndian.getShort (varParam, 8);
-// }
-// else if ((varParam[2] & 0x01) > 0)
-// {
+// } else if ((varParam[2] & 0x01) > 0) {
// short[] brcTop = rgtc[x].getBrcTop ();
// brcTop[0] = LittleEndian.getShort (varParam, 6);
// brcTop[1] = LittleEndian.getShort (varParam, 8);
@@ -221,8 +199,7 @@ public final class TableSprmUncompressor extends SprmUncompressor {
// break;
// }
break;
- case 0x21:
- {
+ case 0x21: {
int param = sprm.getOperand();
int index = (param & 0xff000000) >> 24;
int count = (param & 0x00ff0000) >> 16;
@@ -231,15 +208,13 @@ public final class TableSprmUncompressor extends SprmUncompressor {
short[] rgdxaCenter = new short[itcMac + count + 1];
TableCellDescriptor[] rgtc = new TableCellDescriptor[itcMac + count];
- if (index >= itcMac)
- {
+ if (index >= itcMac) {
index = itcMac;
System.arraycopy(newTAP.getRgdxaCenter(), 0, rgdxaCenter, 0,
itcMac + 1);
System.arraycopy(newTAP.getRgtc(), 0, rgtc, 0, itcMac);
}
- else
- {
+ else {
//copy rgdxaCenter
System.arraycopy(newTAP.getRgdxaCenter(), 0, rgdxaCenter, 0,
index + 1);
@@ -251,8 +226,7 @@ public final class TableSprmUncompressor extends SprmUncompressor {
itcMac - index);
}
- for (int x = index; x < index + count; x++)
- {
+ for (int x = index; x < index + count; x++) {
rgtc[x] = new TableCellDescriptor();
rgdxaCenter[x] = (short)(rgdxaCenter[x - 1] + width);
}
@@ -311,7 +285,4 @@ public final class TableSprmUncompressor extends SprmUncompressor {
break;
}
}
-
-
-
}
diff --git a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java
index 71f4327133..a2aac7b19f 100644
--- a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java
+++ b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java
@@ -38,8 +38,7 @@ import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.Arguments;
import org.junit.jupiter.params.provider.MethodSource;
-public class TestWordToConverterSuite
-{
+public class TestWordToConverterSuite {
/**
* YK: a quick hack to exclude failing documents from the suite.
*/
@@ -60,7 +59,8 @@ public class TestWordToConverterSuite
"clusterfuzz-testcase-minimized-POIHWPFFuzzer-5418937293340672.doc",
"TestHPSFWritingFunctionality.doc",
"clusterfuzz-testcase-minimized-POIHWPFFuzzer-4947285593948160.doc",
- "clusterfuzz-testcase-minimized-POIHWPFFuzzer-5440721166139392.doc"
+ "clusterfuzz-testcase-minimized-POIHWPFFuzzer-5440721166139392.doc",
+ "clusterfuzz-testcase-minimized-POIHWPFFuzzer-5050208641482752.doc"
);
public static Stream<Arguments> files() {
@@ -139,6 +139,4 @@ public class TestWordToConverterSuite
// no exceptions
assertNotNull(stringWriter.toString());
}
-
-
}
diff --git a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java
index 30e46e5d9f..2b2cfed94e 100644
--- a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java
+++ b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java
@@ -52,7 +52,8 @@ public class TestWordToTextConverter {
"clusterfuzz-testcase-minimized-POIHWPFFuzzer-5418937293340672.doc",
"TestHPSFWritingFunctionality.doc",
"clusterfuzz-testcase-minimized-POIHWPFFuzzer-4947285593948160.doc",
- "clusterfuzz-testcase-minimized-POIHWPFFuzzer-5440721166139392.doc"
+ "clusterfuzz-testcase-minimized-POIHWPFFuzzer-5440721166139392.doc",
+ "clusterfuzz-testcase-minimized-POIHWPFFuzzer-5050208641482752.doc"
);
/**
diff --git a/test-data/document/clusterfuzz-testcase-minimized-POIHWPFFuzzer-5050208641482752.doc b/test-data/document/clusterfuzz-testcase-minimized-POIHWPFFuzzer-5050208641482752.doc
new file mode 100644
index 0000000000..4e03699c58
--- /dev/null
+++ b/test-data/document/clusterfuzz-testcase-minimized-POIHWPFFuzzer-5050208641482752.doc
Binary files differ
diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls
index 55c4c0d33c..ff6626135d 100644
--- a/test-data/spreadsheet/stress.xls
+++ b/test-data/spreadsheet/stress.xls
Binary files differ