diff options
author | Dominik Stadler <centic@apache.org> | 2023-09-18 06:38:37 +0000 |
---|---|---|
committer | Dominik Stadler <centic@apache.org> | 2023-09-18 06:38:37 +0000 |
commit | 88bbfbb3f747e2f18768e928facf11712ab7b4c7 (patch) | |
tree | a30aedc09f1b30455f424614a8d41be802c90932 /poi | |
parent | 836512cc1f32ec9f0485f317c298958b1db5b82f (diff) | |
download | poi-88bbfbb3f747e2f18768e928facf11712ab7b4c7.tar.gz poi-88bbfbb3f747e2f18768e928facf11712ab7b4c7.zip |
Bug 66425: Avoid exceptions found via poi-fuzz
We try to avoid throwing NullPointerException, ClassCastExceptions and StackOverflowException, but it was possible
to trigger them
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61562
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62068
git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1912383 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'poi')
-rw-r--r-- | poi/src/main/java/org/apache/poi/ddf/EscherContainerRecord.java | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/poi/src/main/java/org/apache/poi/ddf/EscherContainerRecord.java b/poi/src/main/java/org/apache/poi/ddf/EscherContainerRecord.java index 74df2761a6..da4d2a3289 100644 --- a/poi/src/main/java/org/apache/poi/ddf/EscherContainerRecord.java +++ b/poi/src/main/java/org/apache/poi/ddf/EscherContainerRecord.java @@ -50,6 +50,8 @@ public final class EscherContainerRecord extends EscherRecord implements Iterabl private static final Logger LOGGER = LogManager.getLogger(EscherContainerRecord.class); + private static final int MAX_NESTED_CHILD_NODES = 1000; + /** * in case if document contains any charts we have such document structure: * BOF @@ -86,12 +88,26 @@ public final class EscherContainerRecord extends EscherRecord implements Iterabl @Override public int fillFields(byte[] data, int pOffset, EscherRecordFactory recordFactory) { + return fillFields(data, pOffset, recordFactory, 0); + } + + private int fillFields(byte[] data, int pOffset, EscherRecordFactory recordFactory, int nesting) { + if (nesting > MAX_NESTED_CHILD_NODES) { + throw new IllegalStateException("Had more than the limit of " + MAX_NESTED_CHILD_NODES + " nested child notes"); + } int bytesRemaining = readHeader(data, pOffset); int bytesWritten = 8; int offset = pOffset + 8; while (bytesRemaining > 0 && offset < data.length) { EscherRecord child = recordFactory.createRecord(data, offset); - int childBytesWritten = child.fillFields(data, offset, recordFactory); + + final int childBytesWritten; + if (child instanceof EscherContainerRecord) { + childBytesWritten = ((EscherContainerRecord)child).fillFields(data, offset, recordFactory, nesting + 1); + } else { + childBytesWritten = child.fillFields(data, offset, recordFactory); + } + bytesWritten += childBytesWritten; offset += childBytesWritten; bytesRemaining -= childBytesWritten; |