Limit allocated elements in the PlfLfo structure for word documents

Use large allocation-detection here as well, otherwise some documents can try to allocate too much memory. git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1896744 13f79535-47bb-0310-9956-ffa450edef68
author: Dominik Stadler <centic@apache.org> 2022-01-06 11:10:00 +0000
committer: Dominik Stadler <centic@apache.org> 2022-01-06 11:10:00 +0000
commit: 729d78cda69e489a40f33d8e6c0056c4f4758099 (patch)
tree: eed44e9f952bda2849de1bbfbde3a3f5f70238a9 /poi-scratchpad
parent: 71f063b465244bd954ea39883ced713a49dc1b67 (diff)
download: poi-729d78cda69e489a40f33d8e6c0056c4f4758099.tar.gz
poi-729d78cda69e489a40f33d8e6c0056c4f4758099.zip
2 files changed, 9 insertions, 3 deletions
diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlfLfo.java b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlfLfo.java
index b92c2d41b2..a9f54d32c9 100644
--- a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlfLfo.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlfLfo.java
@@ -26,6 +26,7 @@ import java.util.NoSuchElementException;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.apache.poi.hwpf.model.types.LFOAbstractType;
+import org.apache.poi.util.IOUtils;
 import org.apache.poi.util.LittleEndian;
 import org.apache.poi.util.LittleEndianConsts;
 
@@ -37,10 +38,11 @@ import static org.apache.logging.log4j.util.Unbox.box;
  * Documentation quoted from Page 424 of 621. [MS-DOC] -- v20110315 Word (.doc)
  * Binary File Format
  */
-public class PlfLfo
-{
+public class PlfLfo {
     private static final Logger LOGGER = LogManager.getLogger(PlfLfo.class);
 
+    private static final int MAX_NUMBER_OF_LFO = 100_000;
+
     /**
      * An unsigned integer that specifies the count of elements in both the
      * rgLfo and rgLfoData arrays.
@@ -76,6 +78,8 @@ public class PlfLfo
                             + Integer.MAX_VALUE + " elements" );
         }
 
+        IOUtils.safelyAllocateCheck(lfoMacLong, MAX_NUMBER_OF_LFO);
+
         this._lfoMac = (int) lfoMacLong;
         _rgLfo = new LFO[_lfoMac];
         _rgLfoData = new LFOData[_lfoMac];
diff --git a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java
index fcae380bbf..0df1b84f6b 100644
--- a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java
+++ b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java
@@ -54,7 +54,9 @@ public class TestWordToConverterSuite
         "password_tika_binaryrc4.doc",
         "password_password_cryptoapi.doc",
         // WORD 2.0 file
-        "word2.doc"
+        "word2.doc",
+        // Corrupt file
+        "Fuzzed.doc"
     );
 
     public static Stream<Arguments> files() {
author	Dominik Stadler <centic@apache.org>	2022-01-06 11:10:00 +0000
committer	Dominik Stadler <centic@apache.org>	2022-01-06 11:10:00 +0000
commit	729d78cda69e489a40f33d8e6c0056c4f4758099 (patch)
tree	eed44e9f952bda2849de1bbfbde3a3f5f70238a9 /poi-scratchpad
parent	71f063b465244bd954ea39883ced713a49dc1b67 (diff)
download	poi-729d78cda69e489a40f33d8e6c0056c4f4758099.tar.gz poi-729d78cda69e489a40f33d8e6c0056c4f4758099.zip