Fix issues found when fuzzing Apache POI via Jazzer

Check for negative array allocation size or access and report a more meaningful exception

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1895599 13f79535-47bb-0310-9956-ffa450edef68

5 files changed, 24 insertions, 5 deletions

diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hdgf/streams/CompressedStreamStore.java b/poi-scratchpad/src/main/java/org/apache/poi/hdgf/streams/CompressedStreamStore.java
index 91ea0400e0..fc1057f839 100644
--- a/poi-scratchpad/src/main/java/org/apache/poi/hdgf/streams/CompressedStreamStore.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hdgf/streams/CompressedStreamStore.java
@@ -58,7 +58,7 @@ public final class CompressedStreamStore extends StreamStore {
     public static int getMaxRecordLength() {
         return MAX_RECORD_LENGTH;
     }
-    
+
     /**
      * Creates a new compressed StreamStore, which will handle
      *  the decompression.
@@ -98,6 +98,10 @@ public final class CompressedStreamStore extends StreamStore {
         HDGFLZW lzw = new HDGFLZW();
         byte[] decompressed = lzw.decompress(bais);
 
+        if (decompressed.length < 4) {
+            throw new IllegalArgumentException("Could not read enough data to decompress: " + decompressed.length);
+        }
+
         // Split into header and contents
         byte[][] ret = new byte[2][];
         ret[0] = new byte[4];
diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hpbf/model/qcbits/QCPLCBit.java b/poi-scratchpad/src/main/java/org/apache/poi/hpbf/model/qcbits/QCPLCBit.java
index cd039cf36d..0879e394cf 100644
--- a/poi-scratchpad/src/main/java/org/apache/poi/hpbf/model/qcbits/QCPLCBit.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hpbf/model/qcbits/QCPLCBit.java
@@ -45,6 +45,9 @@ public abstract class QCPLCBit extends QCBit {
 
         // First four bytes are the number
         numberOfPLCs = (int)LittleEndian.getUInt(data, 0);
+        if (numberOfPLCs < 0) {
+            throw new IllegalArgumentException("Invalid number of PLCs: " + numberOfPLCs);
+        }
 
         // Next four bytes are the type
         typeOfPLCS = (int)LittleEndian.getUInt(data, 4);
@@ -86,7 +89,7 @@ public abstract class QCPLCBit extends QCBit {
         this.plcValB = plcValB.clone();
     }
 
-    
+
 
     public static QCPLCBit createQCPLCBit(String thingType, String bitType, byte[] data) {
         // Grab the type
@@ -217,7 +220,7 @@ public abstract class QCPLCBit extends QCBit {
             super(thingType, bitType, data);
 
             int cntPlcs = getNumberOfPLCs();
-            
+
             // How many hyperlinks do we really have?
             // (zero hyperlinks gets numberOfPLCs=1)
             hyperlinks = new String[data.length == 0x34 ? 0 : cntPlcs];
diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/Ffn.java b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/Ffn.java
index bea8b2e581..7c30f2346a 100644
--- a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/Ffn.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/Ffn.java
@@ -76,6 +76,11 @@ public final class Ffn {
 
         offsetTmp = offset - offsetTmp;
         _xszFfnLength = (this.getSize() - offsetTmp) / 2;
+
+        if (_xszFfnLength < 0) {
+            throw new IllegalArgumentException("Had invalid computed size: " + _xszFfnLength + " with size " + getSize() + " and offsetTmp: " + offsetTmp);
+        }
+
         _xszFfn = new char[_xszFfnLength];
 
         for (int i = 0; i < _xszFfnLength; i++) {
diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/LFOData.java b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/LFOData.java
index 0e8cca03a4..726e67d7de 100644
--- a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/LFOData.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/LFOData.java
@@ -43,8 +43,11 @@ public class LFOData
         _rgLfoLvl = new ListFormatOverrideLevel[0];
     }
 
-    LFOData( byte[] buf, int startOffset, int cLfolvl )
-    {
+    LFOData( byte[] buf, int startOffset, int cLfolvl ) {
+        if (cLfolvl < 0) {
+            throw new IllegalArgumentException("Cannot create LFOData with negative count");
+        }
+
         int offset = startOffset;
 
         _cp = LittleEndian.getInt( buf, offset );
diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/StyleSheet.java b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/StyleSheet.java
index 18d703c835..c9b8880f28 100644
--- a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/StyleSheet.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/StyleSheet.java
@@ -88,6 +88,10 @@ public final class StyleSheet {
 
         _stshif = new Stshif(tableStream, offset);
 
+        if (_stshif.getCstd() < 0) {
+            throw new IllegalArgumentException("Cannot create StyleSheet, invalid Cstd: " + _stshif.getCstd());
+        }
+
         // shall we discard cbLSD and mpstilsd?
 
         offset = startOffset + LittleEndianConsts.SHORT_SIZE + _cbStshi;