diff options
| author | Dominik Stadler <centic@apache.org> | 2021-12-05 17:34:19 +0000 |
|---|---|---|
| committer | Dominik Stadler <centic@apache.org> | 2021-12-05 17:34:19 +0000 |
| commit | f0e7cc0881856ba25a965504e68a70f7dd9046b3 (patch) | |
| tree | 2eb14d848d54e0057800cc8787bfcf04366b5357 /poi | |
| parent | 0210af791ee17d3cdda6671ddfe008a07a2bd4f0 (diff) | |
| download | poi-f0e7cc0881856ba25a965504e68a70f7dd9046b3.tar.gz poi-f0e7cc0881856ba25a965504e68a70f7dd9046b3.zip | |
Fix issues found when fuzzing Apache POI via Jazzer
Check for negative array allocation size or access and report a more meaningful exception
git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1895599 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'poi')
6 files changed, 26 insertions, 2 deletions
diff --git a/poi/src/main/java/org/apache/poi/hssf/record/RecordFactory.java b/poi/src/main/java/org/apache/poi/hssf/record/RecordFactory.java index 86014c4d2b..0828e46537 100644 --- a/poi/src/main/java/org/apache/poi/hssf/record/RecordFactory.java +++ b/poi/src/main/java/org/apache/poi/hssf/record/RecordFactory.java @@ -22,6 +22,8 @@ import java.util.ArrayList; import java.util.Arrays; import java.util.List; +import org.apache.poi.util.RecordFormatException; + /** * Title: Record Factory<p> * Description: Takes a stream and outputs an array of Record objects. @@ -103,6 +105,10 @@ public final class RecordFactory { * @return the equivalent array of {@link NumberRecord NumberRecords} */ public static NumberRecord[] convertRKRecords(MulRKRecord mrk) { + if (mrk.getNumColumns() < 0) { + throw new RecordFormatException("Cannot create RKRecords with negative number of columns: " + mrk.getNumColumns()); + } + NumberRecord[] mulRecs = new NumberRecord[mrk.getNumColumns()]; for (int k = 0; k < mrk.getNumColumns(); k++) { NumberRecord nr = new NumberRecord(); @@ -156,7 +162,7 @@ public final class RecordFactory { * * @exception org.apache.poi.util.RecordFormatException on error processing the InputStream */ - public static List<org.apache.poi.hssf.record.Record> createRecords(InputStream in) throws org.apache.poi.util.RecordFormatException { + public static List<org.apache.poi.hssf.record.Record> createRecords(InputStream in) throws RecordFormatException { List<org.apache.poi.hssf.record.Record> records = new ArrayList<>(NUM_RECORDS); diff --git a/poi/src/main/java/org/apache/poi/hssf/record/RecordInputStream.java b/poi/src/main/java/org/apache/poi/hssf/record/RecordInputStream.java index 62535e50b8..b83100845b 100644 --- a/poi/src/main/java/org/apache/poi/hssf/record/RecordInputStream.java +++ b/poi/src/main/java/org/apache/poi/hssf/record/RecordInputStream.java @@ -330,7 +330,10 @@ public final class RecordInputStream implements LittleEndianInput { } else { nextRecord(); nextChunk = Math.min(available(),len); - assert(nextChunk > 0); + if (nextChunk <= 0) { + throw new RecordFormatException("Need to have a valid next chunk, but had: " + nextChunk + + " with len: " + len + " and available: " + available()); + } } } checkRecordPosition(nextChunk); diff --git a/poi/src/main/java/org/apache/poi/hssf/record/chart/ChartFRTInfoRecord.java b/poi/src/main/java/org/apache/poi/hssf/record/chart/ChartFRTInfoRecord.java index ed6e6c91d5..7d8dfd5355 100644 --- a/poi/src/main/java/org/apache/poi/hssf/record/chart/ChartFRTInfoRecord.java +++ b/poi/src/main/java/org/apache/poi/hssf/record/chart/ChartFRTInfoRecord.java @@ -78,6 +78,9 @@ public final class ChartFRTInfoRecord extends StandardRecord { verOriginator = in.readByte(); verWriter = in.readByte(); int cCFRTID = in.readShort(); + if (cCFRTID < 0) { + throw new IllegalArgumentException("Had negative CFRTID: " + cCFRTID); + } rgCFRTID = new CFRTID[cCFRTID]; for (int i = 0; i < cCFRTID; i++) { diff --git a/poi/src/main/java/org/apache/poi/hssf/usermodel/HSSFRow.java b/poi/src/main/java/org/apache/poi/hssf/usermodel/HSSFRow.java index 3487e31595..4a28ca4668 100644 --- a/poi/src/main/java/org/apache/poi/hssf/usermodel/HSSFRow.java +++ b/poi/src/main/java/org/apache/poi/hssf/usermodel/HSSFRow.java @@ -96,6 +96,10 @@ public final class HSSFRow implements Row, Comparable<HSSFRow> { row = record; setRowNum(record.getRowNumber()); + if (record.getLastCol() < 0 || INITIAL_CAPACITY < 0) { + throw new IllegalArgumentException("Had invalid column counts: " + record.getLastCol() + " and " + INITIAL_CAPACITY); + } + // Size the initial cell list such that a read only case won't waste // lots of memory, and a create/read followed by adding new cells can // add a bit without needing a resize diff --git a/poi/src/main/java/org/apache/poi/poifs/filesystem/BlockStore.java b/poi/src/main/java/org/apache/poi/poifs/filesystem/BlockStore.java index bdd016f860..178ff3aa8b 100644 --- a/poi/src/main/java/org/apache/poi/poifs/filesystem/BlockStore.java +++ b/poi/src/main/java/org/apache/poi/poifs/filesystem/BlockStore.java @@ -85,6 +85,10 @@ public abstract class BlockStore { protected class ChainLoopDetector { private final boolean[] used_blocks; protected ChainLoopDetector(long rawSize) { + if (rawSize < 0) { + throw new IllegalArgumentException("Cannot create a ChainLoopDetector with negative size, but had: " + rawSize); + } + int blkSize = getBlockStoreBlockSize(); int numBlocks = (int)(rawSize / blkSize); if ((rawSize % blkSize) != 0) { diff --git a/poi/src/main/java/org/apache/poi/ss/formula/constant/ConstantValueParser.java b/poi/src/main/java/org/apache/poi/ss/formula/constant/ConstantValueParser.java index e0e923b02e..9464ecbdb4 100644 --- a/poi/src/main/java/org/apache/poi/ss/formula/constant/ConstantValueParser.java +++ b/poi/src/main/java/org/apache/poi/ss/formula/constant/ConstantValueParser.java @@ -45,6 +45,10 @@ public final class ConstantValueParser { } public static Object[] parse(LittleEndianInput in, int nValues) { + if (nValues < 0) { + throw new IllegalArgumentException("Invalid number of values to parse: " + nValues); + } + Object[] result = new Object[nValues]; for (int i = 0; i < result.length; i++) { result[i] = readAConstantValue(in); |