diff options
| author | Tim Allison <tallison@apache.org> | 2017-07-14 20:47:40 +0000 |
|---|---|---|
| committer | Tim Allison <tallison@apache.org> | 2017-07-14 20:47:40 +0000 |
| commit | d320b2ea4a0ad32e8d49b8ce3f6ac1583ea48a5a (patch) | |
| tree | 07ad6e558e5a337858e5f47ba6be0e4609899d91 /src/java | |
| parent | 5c674c92d382ec019273a9e1d09dad44f6eb99ca (diff) | |
| download | poi-d320b2ea4a0ad32e8d49b8ce3f6ac1583ea48a5a.tar.gz poi-d320b2ea4a0ad32e8d49b8ce3f6ac1583ea48a5a.zip | |
bug 61300 -- prevent really long (infinite?) loop on corrupt file
git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1801989 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'src/java')
4 files changed, 14 insertions, 2 deletions
diff --git a/src/java/org/apache/poi/poifs/filesystem/NDocumentInputStream.java b/src/java/org/apache/poi/poifs/filesystem/NDocumentInputStream.java index 5c9d35da23..848fd9f006 100644 --- a/src/java/org/apache/poi/poifs/filesystem/NDocumentInputStream.java +++ b/src/java/org/apache/poi/poifs/filesystem/NDocumentInputStream.java @@ -70,6 +70,9 @@ public final class NDocumentInputStream extends DocumentInputStream { _document_size = document.getSize(); _closed = false; + if (_document_size < 0) { + //throw new RecordFormatException("Document size can't be < 0"); + } DocumentNode doc = (DocumentNode)document; DocumentProperty property = (DocumentProperty)doc.getProperty(); _document = new NPOIFSDocument( @@ -248,6 +251,10 @@ public final class NDocumentInputStream extends DocumentInputStream { @Override public void readFully(byte[] buf, int off, int len) { + if (len < 0) { + throw new RuntimeException("Can't read negative number of bytes"); + } + checkAvaliable(len); int read = 0; diff --git a/src/java/org/apache/poi/poifs/filesystem/ODocumentInputStream.java b/src/java/org/apache/poi/poifs/filesystem/ODocumentInputStream.java index 9b6ce33f46..cc280390ef 100644 --- a/src/java/org/apache/poi/poifs/filesystem/ODocumentInputStream.java +++ b/src/java/org/apache/poi/poifs/filesystem/ODocumentInputStream.java @@ -20,6 +20,7 @@ package org.apache.poi.poifs.filesystem; import java.io.IOException; import org.apache.poi.poifs.storage.DataInputBlock; +import org.apache.poi.util.RecordFormatException; /** * This class provides methods to read a DocumentEntry managed by a @@ -64,6 +65,9 @@ public final class ODocumentInputStream extends DocumentInputStream { _current_offset = 0; _marked_offset = 0; _document_size = document.getSize(); + if (_document_size < 0) { + throw new RecordFormatException("document_size cannot be < 0"); + } _closed = false; _document = documentNode.getDocument(); _currentBlock = getDataInputBlock(0); diff --git a/src/java/org/apache/poi/util/BoundedInputStream.java b/src/java/org/apache/poi/util/BoundedInputStream.java index 1cdeb39f33..1ef84d9ff0 100644 --- a/src/java/org/apache/poi/util/BoundedInputStream.java +++ b/src/java/org/apache/poi/util/BoundedInputStream.java @@ -19,8 +19,6 @@ package org.apache.poi.util; import java.io.IOException; import java.io.InputStream; -import org.apache.poi.util.SuppressForbidden; - /** * This is a stream that will only supply bytes up to a certain length - if its * position goes above that, it will stop. diff --git a/src/java/org/apache/poi/util/IOUtils.java b/src/java/org/apache/poi/util/IOUtils.java index 296d92cf08..25e5652d93 100644 --- a/src/java/org/apache/poi/util/IOUtils.java +++ b/src/java/org/apache/poi/util/IOUtils.java @@ -310,6 +310,9 @@ public final class IOUtils { byte[] buff = new byte[4096]; int count; while ((count = inp.read(buff)) != -1) { + if (count < -1) { + throw new RecordFormatException("Can't have read < -1 bytes"); + } if (count > 0) { out.write(buff, 0, count); } |