aboutsummaryrefslogtreecommitdiffstats
path: root/poi
diff options
context:
space:
mode:
authorDominik Stadler <centic@apache.org>2021-12-05 17:34:19 +0000
committerDominik Stadler <centic@apache.org>2021-12-05 17:34:19 +0000
commitf0e7cc0881856ba25a965504e68a70f7dd9046b3 (patch)
tree2eb14d848d54e0057800cc8787bfcf04366b5357 /poi
parent0210af791ee17d3cdda6671ddfe008a07a2bd4f0 (diff)
downloadpoi-f0e7cc0881856ba25a965504e68a70f7dd9046b3.tar.gz
poi-f0e7cc0881856ba25a965504e68a70f7dd9046b3.zip
Fix issues found when fuzzing Apache POI via Jazzer
Check for negative array allocation size or access and report a more meaningful exception git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1895599 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'poi')
-rw-r--r--poi/src/main/java/org/apache/poi/hssf/record/RecordFactory.java8
-rw-r--r--poi/src/main/java/org/apache/poi/hssf/record/RecordInputStream.java5
-rw-r--r--poi/src/main/java/org/apache/poi/hssf/record/chart/ChartFRTInfoRecord.java3
-rw-r--r--poi/src/main/java/org/apache/poi/hssf/usermodel/HSSFRow.java4
-rw-r--r--poi/src/main/java/org/apache/poi/poifs/filesystem/BlockStore.java4
-rw-r--r--poi/src/main/java/org/apache/poi/ss/formula/constant/ConstantValueParser.java4
6 files changed, 26 insertions, 2 deletions
diff --git a/poi/src/main/java/org/apache/poi/hssf/record/RecordFactory.java b/poi/src/main/java/org/apache/poi/hssf/record/RecordFactory.java
index 86014c4d2b..0828e46537 100644
--- a/poi/src/main/java/org/apache/poi/hssf/record/RecordFactory.java
+++ b/poi/src/main/java/org/apache/poi/hssf/record/RecordFactory.java
@@ -22,6 +22,8 @@ import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
+import org.apache.poi.util.RecordFormatException;
+
/**
* Title: Record Factory<p>
* Description: Takes a stream and outputs an array of Record objects.
@@ -103,6 +105,10 @@ public final class RecordFactory {
* @return the equivalent array of {@link NumberRecord NumberRecords}
*/
public static NumberRecord[] convertRKRecords(MulRKRecord mrk) {
+ if (mrk.getNumColumns() < 0) {
+ throw new RecordFormatException("Cannot create RKRecords with negative number of columns: " + mrk.getNumColumns());
+ }
+
NumberRecord[] mulRecs = new NumberRecord[mrk.getNumColumns()];
for (int k = 0; k < mrk.getNumColumns(); k++) {
NumberRecord nr = new NumberRecord();
@@ -156,7 +162,7 @@ public final class RecordFactory {
*
* @exception org.apache.poi.util.RecordFormatException on error processing the InputStream
*/
- public static List<org.apache.poi.hssf.record.Record> createRecords(InputStream in) throws org.apache.poi.util.RecordFormatException {
+ public static List<org.apache.poi.hssf.record.Record> createRecords(InputStream in) throws RecordFormatException {
List<org.apache.poi.hssf.record.Record> records = new ArrayList<>(NUM_RECORDS);
diff --git a/poi/src/main/java/org/apache/poi/hssf/record/RecordInputStream.java b/poi/src/main/java/org/apache/poi/hssf/record/RecordInputStream.java
index 62535e50b8..b83100845b 100644
--- a/poi/src/main/java/org/apache/poi/hssf/record/RecordInputStream.java
+++ b/poi/src/main/java/org/apache/poi/hssf/record/RecordInputStream.java
@@ -330,7 +330,10 @@ public final class RecordInputStream implements LittleEndianInput {
} else {
nextRecord();
nextChunk = Math.min(available(),len);
- assert(nextChunk > 0);
+ if (nextChunk <= 0) {
+ throw new RecordFormatException("Need to have a valid next chunk, but had: " + nextChunk +
+ " with len: " + len + " and available: " + available());
+ }
}
}
checkRecordPosition(nextChunk);
diff --git a/poi/src/main/java/org/apache/poi/hssf/record/chart/ChartFRTInfoRecord.java b/poi/src/main/java/org/apache/poi/hssf/record/chart/ChartFRTInfoRecord.java
index ed6e6c91d5..7d8dfd5355 100644
--- a/poi/src/main/java/org/apache/poi/hssf/record/chart/ChartFRTInfoRecord.java
+++ b/poi/src/main/java/org/apache/poi/hssf/record/chart/ChartFRTInfoRecord.java
@@ -78,6 +78,9 @@ public final class ChartFRTInfoRecord extends StandardRecord {
verOriginator = in.readByte();
verWriter = in.readByte();
int cCFRTID = in.readShort();
+ if (cCFRTID < 0) {
+ throw new IllegalArgumentException("Had negative CFRTID: " + cCFRTID);
+ }
rgCFRTID = new CFRTID[cCFRTID];
for (int i = 0; i < cCFRTID; i++) {
diff --git a/poi/src/main/java/org/apache/poi/hssf/usermodel/HSSFRow.java b/poi/src/main/java/org/apache/poi/hssf/usermodel/HSSFRow.java
index 3487e31595..4a28ca4668 100644
--- a/poi/src/main/java/org/apache/poi/hssf/usermodel/HSSFRow.java
+++ b/poi/src/main/java/org/apache/poi/hssf/usermodel/HSSFRow.java
@@ -96,6 +96,10 @@ public final class HSSFRow implements Row, Comparable<HSSFRow> {
row = record;
setRowNum(record.getRowNumber());
+ if (record.getLastCol() < 0 || INITIAL_CAPACITY < 0) {
+ throw new IllegalArgumentException("Had invalid column counts: " + record.getLastCol() + " and " + INITIAL_CAPACITY);
+ }
+
// Size the initial cell list such that a read only case won't waste
// lots of memory, and a create/read followed by adding new cells can
// add a bit without needing a resize
diff --git a/poi/src/main/java/org/apache/poi/poifs/filesystem/BlockStore.java b/poi/src/main/java/org/apache/poi/poifs/filesystem/BlockStore.java
index bdd016f860..178ff3aa8b 100644
--- a/poi/src/main/java/org/apache/poi/poifs/filesystem/BlockStore.java
+++ b/poi/src/main/java/org/apache/poi/poifs/filesystem/BlockStore.java
@@ -85,6 +85,10 @@ public abstract class BlockStore {
protected class ChainLoopDetector {
private final boolean[] used_blocks;
protected ChainLoopDetector(long rawSize) {
+ if (rawSize < 0) {
+ throw new IllegalArgumentException("Cannot create a ChainLoopDetector with negative size, but had: " + rawSize);
+ }
+
int blkSize = getBlockStoreBlockSize();
int numBlocks = (int)(rawSize / blkSize);
if ((rawSize % blkSize) != 0) {
diff --git a/poi/src/main/java/org/apache/poi/ss/formula/constant/ConstantValueParser.java b/poi/src/main/java/org/apache/poi/ss/formula/constant/ConstantValueParser.java
index e0e923b02e..9464ecbdb4 100644
--- a/poi/src/main/java/org/apache/poi/ss/formula/constant/ConstantValueParser.java
+++ b/poi/src/main/java/org/apache/poi/ss/formula/constant/ConstantValueParser.java
@@ -45,6 +45,10 @@ public final class ConstantValueParser {
}
public static Object[] parse(LittleEndianInput in, int nValues) {
+ if (nValues < 0) {
+ throw new IllegalArgumentException("Invalid number of values to parse: " + nValues);
+ }
+
Object[] result = new Object[nValues];
for (int i = 0; i < result.length; i++) {
result[i] = readAConstantValue(in);