diff options
| author | Dominik Stadler <centic@apache.org> | 2023-01-01 15:59:44 +0000 |
|---|---|---|
| committer | Dominik Stadler <centic@apache.org> | 2023-01-01 15:59:44 +0000 |
| commit | 059283c9e6cbfb65a2f5796de8b01bf13a28dd7f (patch) | |
| tree | f8c74feded78896ea884b5c2e168780dfc642406 /poi-scratchpad/src/main | |
| parent | ab45ef779ce4e12e56e4715e7abf0f0b8b46d2af (diff) | |
| download | poi-059283c9e6cbfb65a2f5796de8b01bf13a28dd7f.tar.gz poi-059283c9e6cbfb65a2f5796de8b01bf13a28dd7f.zip | |
Prevent more cases of unbounded allocation
Test WordToTextConverter with all sample files
git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1906326 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'poi-scratchpad/src/main')
| -rw-r--r-- | poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/NilPICFAndBinData.java | 30 |
1 files changed, 15 insertions, 15 deletions
diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/NilPICFAndBinData.java b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/NilPICFAndBinData.java index 3377c8cd9c..c20d39ff66 100644 --- a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/NilPICFAndBinData.java +++ b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/NilPICFAndBinData.java @@ -20,56 +20,56 @@ import java.util.Arrays; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; +import org.apache.poi.util.IOUtils; import org.apache.poi.util.LittleEndian; import org.apache.poi.util.LittleEndianConsts; import static java.lang.Integer.toHexString; import static org.apache.logging.log4j.util.Unbox.box; -public class NilPICFAndBinData -{ - +public class NilPICFAndBinData { private static final Logger LOGGER = LogManager.getLogger(NilPICFAndBinData.class); + // limit the default maximum length of the allocated fields + private static final int MAX_SIZE = 100_000; + private byte[] _binData; - public NilPICFAndBinData( byte[] data, int offset ) - { + public NilPICFAndBinData( byte[] data, int offset ) { fillFields( data, offset ); } - public void fillFields( byte[] data, int offset ) - { + public void fillFields( byte[] data, int offset ) { int lcb = LittleEndian.getInt( data, offset ); int cbHeader = LittleEndian.getUShort( data, offset + LittleEndianConsts.INT_SIZE ); - if ( cbHeader != 0x44 ) - { + if ( cbHeader != 0x44 ) { LOGGER.atWarn().log("NilPICFAndBinData at offset {} cbHeader 0x{} != 0x44", box(offset), toHexString(cbHeader)); } + // make sure these do not cause OOM if passed as invalid or extremely large values + IOUtils.safelyAllocateCheck(lcb, MAX_SIZE); + IOUtils.safelyAllocateCheck(cbHeader, MAX_SIZE); + // skip the 62 ignored bytes int binaryLength = lcb - cbHeader; this._binData = Arrays.copyOfRange(data, offset + cbHeader, offset + cbHeader + binaryLength); } - public byte[] getBinData() - { + public byte[] getBinData() { return _binData; } - public byte[] serialize() - { + public byte[] serialize() { byte[] bs = new byte[_binData.length + 0x44]; LittleEndian.putInt( bs, 0, _binData.length + 0x44 ); System.arraycopy( _binData, 0, bs, 0x44, _binData.length ); return bs; } - public int serialize( byte[] data, int offset ) - { + public int serialize( byte[] data, int offset ) { LittleEndian.putInt( data, offset, _binData.length + 0x44 ); System.arraycopy( _binData, 0, data, offset + 0x44, _binData.length ); return 0x44 + _binData.length; |