Bug 66425: Avoid a ClassCastException found via oss-fuzz

We try to avoid throwing ClassCastException, but it was possible
to trigger one here with a specially crafted input-file

Should fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61317

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1911565 13f79535-47bb-0310-9956-ffa450edef68

5 files changed, 9 insertions, 4 deletions

diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/HWPFDocumentCore.java b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/HWPFDocumentCore.java
index 325abc6df8..22bf28eab7 100644
--- a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/HWPFDocumentCore.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/HWPFDocumentCore.java
@@ -54,7 +54,6 @@ import org.apache.poi.util.IOUtils;
 import org.apache.poi.util.Internal;
 import org.apache.poi.util.LittleEndianByteArrayInputStream;
 
-
 /**
  * This class holds much of the core of a Word document, but
  *  without some of the table structure information.
@@ -187,7 +186,11 @@ public abstract class HWPFDocumentCore extends POIDocument {
 
         DirectoryEntry objectPoolEntry = null;
         if (directory.hasEntry(STREAM_OBJECT_POOL)) {
-            objectPoolEntry = (DirectoryEntry) directory.getEntry(STREAM_OBJECT_POOL);
+            final Entry entry = directory.getEntry(STREAM_OBJECT_POOL);
+            if (!(entry instanceof DirectoryEntry)) {
+                throw new IllegalArgumentException("Had unexpected type of entry for name: " + STREAM_OBJECT_POOL + ": " + entry.getClass());
+            }
+            objectPoolEntry = (DirectoryEntry) entry;
         }
         _objectPool = new ObjectPoolImpl(objectPoolEntry);
     }
diff --git a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java
index cafc6c3dfa..71f4327133 100644
--- a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java
+++ b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java
@@ -59,7 +59,8 @@ public class TestWordToConverterSuite
         "Fuzzed.doc",
         "clusterfuzz-testcase-minimized-POIHWPFFuzzer-5418937293340672.doc",
         "TestHPSFWritingFunctionality.doc",
-        "clusterfuzz-testcase-minimized-POIHWPFFuzzer-4947285593948160.doc"
+        "clusterfuzz-testcase-minimized-POIHWPFFuzzer-4947285593948160.doc",
+        "clusterfuzz-testcase-minimized-POIHWPFFuzzer-5440721166139392.doc"
     );
 
     public static Stream<Arguments> files() {
diff --git a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java
index 4bb810735f..30e46e5d9f 100644
--- a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java
+++ b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java
@@ -51,7 +51,8 @@ public class TestWordToTextConverter {
         // Corrupt files
         "clusterfuzz-testcase-minimized-POIHWPFFuzzer-5418937293340672.doc",
         "TestHPSFWritingFunctionality.doc",
-        "clusterfuzz-testcase-minimized-POIHWPFFuzzer-4947285593948160.doc"
+        "clusterfuzz-testcase-minimized-POIHWPFFuzzer-4947285593948160.doc",
+        "clusterfuzz-testcase-minimized-POIHWPFFuzzer-5440721166139392.doc"
     );
 
     /**
diff --git a/test-data/document/clusterfuzz-testcase-minimized-POIHWPFFuzzer-5440721166139392.doc b/test-data/document/clusterfuzz-testcase-minimized-POIHWPFFuzzer-5440721166139392.doc
new file mode 100644
index 0000000000..c1dea2dc4d
--- /dev/null
+++ b/test-data/document/clusterfuzz-testcase-minimized-POIHWPFFuzzer-5440721166139392.doc
diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls
index b9ac3702aa..f792d02ef3 100644
--- a/test-data/spreadsheet/stress.xls
+++ b/test-data/spreadsheet/stress.xls