From 729d78cda69e489a40f33d8e6c0056c4f4758099 Mon Sep 17 00:00:00 2001 From: Dominik Stadler Date: Thu, 6 Jan 2022 11:10:00 +0000 Subject: Limit allocated elements in the PlfLfo structure for word documents Use large allocation-detection here as well, otherwise some documents can try to allocate too much memory. git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1896744 13f79535-47bb-0310-9956-ffa450edef68 --- .../main/java/org/apache/poi/hwpf/model/PlfLfo.java | 8 ++++++-- .../hwpf/converter/TestWordToConverterSuite.java | 4 +++- test-data/document/Fuzzed.doc | Bin 0 -> 335360 bytes test-data/spreadsheet/stress.xls | Bin 51712 -> 38912 bytes 4 files changed, 9 insertions(+), 3 deletions(-) create mode 100644 test-data/document/Fuzzed.doc diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlfLfo.java b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlfLfo.java index b92c2d41b2..a9f54d32c9 100644 --- a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlfLfo.java +++ b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlfLfo.java @@ -26,6 +26,7 @@ import java.util.NoSuchElementException; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.apache.poi.hwpf.model.types.LFOAbstractType; +import org.apache.poi.util.IOUtils; import org.apache.poi.util.LittleEndian; import org.apache.poi.util.LittleEndianConsts; @@ -37,10 +38,11 @@ import static org.apache.logging.log4j.util.Unbox.box; * Documentation quoted from Page 424 of 621. [MS-DOC] -- v20110315 Word (.doc) * Binary File Format */ -public class PlfLfo -{ +public class PlfLfo { private static final Logger LOGGER = LogManager.getLogger(PlfLfo.class); + private static final int MAX_NUMBER_OF_LFO = 100_000; + /** * An unsigned integer that specifies the count of elements in both the * rgLfo and rgLfoData arrays. @@ -76,6 +78,8 @@ public class PlfLfo + Integer.MAX_VALUE + " elements" ); } + IOUtils.safelyAllocateCheck(lfoMacLong, MAX_NUMBER_OF_LFO); + this._lfoMac = (int) lfoMacLong; _rgLfo = new LFO[_lfoMac]; _rgLfoData = new LFOData[_lfoMac]; diff --git a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java index fcae380bbf..0df1b84f6b 100644 --- a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java +++ b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java @@ -54,7 +54,9 @@ public class TestWordToConverterSuite "password_tika_binaryrc4.doc", "password_password_cryptoapi.doc", // WORD 2.0 file - "word2.doc" + "word2.doc", + // Corrupt file + "Fuzzed.doc" ); public static Stream files() { diff --git a/test-data/document/Fuzzed.doc b/test-data/document/Fuzzed.doc new file mode 100644 index 0000000000..c8201d8859 Binary files /dev/null and b/test-data/document/Fuzzed.doc differ diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls index 4a3e253615..bd26bf16d1 100644 Binary files a/test-data/spreadsheet/stress.xls and b/test-data/spreadsheet/stress.xls differ -- cgit v1.2.3