aboutsummaryrefslogtreecommitdiffstats
path: root/poi
diff options
context:
space:
mode:
authorDominik Stadler <centic@apache.org>2023-09-18 06:38:37 +0000
committerDominik Stadler <centic@apache.org>2023-09-18 06:38:37 +0000
commit88bbfbb3f747e2f18768e928facf11712ab7b4c7 (patch)
treea30aedc09f1b30455f424614a8d41be802c90932 /poi
parent836512cc1f32ec9f0485f317c298958b1db5b82f (diff)
downloadpoi-88bbfbb3f747e2f18768e928facf11712ab7b4c7.tar.gz
poi-88bbfbb3f747e2f18768e928facf11712ab7b4c7.zip
Bug 66425: Avoid exceptions found via poi-fuzz
We try to avoid throwing NullPointerException, ClassCastExceptions and StackOverflowException, but it was possible to trigger them Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61562 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62068 git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1912383 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'poi')
-rw-r--r--poi/src/main/java/org/apache/poi/ddf/EscherContainerRecord.java18
1 files changed, 17 insertions, 1 deletions
diff --git a/poi/src/main/java/org/apache/poi/ddf/EscherContainerRecord.java b/poi/src/main/java/org/apache/poi/ddf/EscherContainerRecord.java
index 74df2761a6..da4d2a3289 100644
--- a/poi/src/main/java/org/apache/poi/ddf/EscherContainerRecord.java
+++ b/poi/src/main/java/org/apache/poi/ddf/EscherContainerRecord.java
@@ -50,6 +50,8 @@ public final class EscherContainerRecord extends EscherRecord implements Iterabl
private static final Logger LOGGER = LogManager.getLogger(EscherContainerRecord.class);
+ private static final int MAX_NESTED_CHILD_NODES = 1000;
+
/**
* in case if document contains any charts we have such document structure:
* BOF
@@ -86,12 +88,26 @@ public final class EscherContainerRecord extends EscherRecord implements Iterabl
@Override
public int fillFields(byte[] data, int pOffset, EscherRecordFactory recordFactory) {
+ return fillFields(data, pOffset, recordFactory, 0);
+ }
+
+ private int fillFields(byte[] data, int pOffset, EscherRecordFactory recordFactory, int nesting) {
+ if (nesting > MAX_NESTED_CHILD_NODES) {
+ throw new IllegalStateException("Had more than the limit of " + MAX_NESTED_CHILD_NODES + " nested child notes");
+ }
int bytesRemaining = readHeader(data, pOffset);
int bytesWritten = 8;
int offset = pOffset + 8;
while (bytesRemaining > 0 && offset < data.length) {
EscherRecord child = recordFactory.createRecord(data, offset);
- int childBytesWritten = child.fillFields(data, offset, recordFactory);
+
+ final int childBytesWritten;
+ if (child instanceof EscherContainerRecord) {
+ childBytesWritten = ((EscherContainerRecord)child).fillFields(data, offset, recordFactory, nesting + 1);
+ } else {
+ childBytesWritten = child.fillFields(data, offset, recordFactory);
+ }
+
bytesWritten += childBytesWritten;
offset += childBytesWritten;
bytesRemaining -= childBytesWritten;