Sanity check the length, logging and truncating if too long, to avoid a StringIndexOutOfBoundsException (bug #54925)

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1496520 13f79535-47bb-0310-9956-ffa450edef68

1 files changed, 11 insertions, 0 deletions

diff --git a/src/scratchpad/src/org/apache/poi/hslf/record/StyleTextPropAtom.java b/src/scratchpad/src/org/apache/poi/hslf/record/StyleTextPropAtom.java
index a877da1f24..953b0a25a1 100644
--- a/src/scratchpad/src/org/apache/poi/hslf/record/StyleTextPropAtom.java
+++ b/src/scratchpad/src/org/apache/poi/hslf/record/StyleTextPropAtom.java
@@ -273,6 +273,7 @@ public final class StyleTextPropAtom extends RecordAtom
         while(pos < rawContents.length && textHandled < prsize) {
             // First up, fetch the number of characters this applies to
             int textLen = LittleEndian.getInt(rawContents,pos);
+            textLen = checkTextLength(textLen, textHandled, size);
             textHandled += textLen;
             pos += 4;
 
@@ -308,6 +309,7 @@ public final class StyleTextPropAtom extends RecordAtom
         while(pos < rawContents.length && textHandled < chsize) {
             // First up, fetch the number of characters this applies to
             int textLen = LittleEndian.getInt(rawContents,pos);
+            textLen = checkTextLength(textLen, textHandled, size);
             textHandled += textLen;
             pos += 4;
 
@@ -345,6 +347,15 @@ public final class StyleTextPropAtom extends RecordAtom
 
         initialised = true;
     }
+    
+    private int checkTextLength(int readLength, int handledSoFar, int overallSize) {
+        if (readLength + handledSoFar > overallSize + 1) {
+            logger.log(POILogger.WARN, "Style length of " + readLength + " at " + handledSoFar + 
+                    " larger than stated size of " + overallSize + ", truncating");
+            return overallSize + 1 - handledSoFar;
+        }
+        return readLength;
+    }
 
 
     /**