Author: centic
Date: Mon Apr 11 13:51:31 2022
New Revision: 1899749
URL: http://svn.apache.org/viewvc?rev=1899749&view=rev
Log:
Prevent an overly large allocation when using HPSF
Add a sample document from fuzzing which contains invalid/oversized values
Added:
poi/trunk/test-data/spreadsheet/poi-fuzz.xls
Modified:
poi/trunk/poi/src/main/java/org/apache/poi/hpsf/Array.java
poi/trunk/poi/src/test/java/org/apache/poi/hssf/dev/TestBiffViewer.java
poi/trunk/test-data/spreadsheet/stress.xls
Modified: poi/trunk/poi/src/main/java/org/apache/poi/hpsf/Array.java
URL:
http://svn.apache.org/viewvc/poi/trunk/poi/src/main/java/org/apache/poi/hpsf/Array.java?rev=1899749&r1=1899748&r2=1899749&view=diff
==============================================================================
--- poi/trunk/poi/src/main/java/org/apache/poi/hpsf/Array.java (original)
+++ poi/trunk/poi/src/main/java/org/apache/poi/hpsf/Array.java Mon Apr 11
13:51:31 2022
@@ -16,12 +16,15 @@
==================================================================== */
package org.apache.poi.hpsf;
+import org.apache.poi.util.IOUtils;
import org.apache.poi.util.Internal;
import org.apache.poi.util.LittleEndianByteArrayInputStream;
@Internal
-public class Array
-{
+public class Array {
+
+ private static final int MAX_NUMBER_OF_ARRAY_SCALARS = 100_000;
+
static class ArrayDimension {
private long _size;
@SuppressWarnings("unused")
@@ -33,8 +36,7 @@ public class Array
}
}
- static class ArrayHeader
- {
+ static class ArrayHeader {
private ArrayDimension[] _dimensions;
private int _type;
@@ -47,7 +49,7 @@ public class Array
String msg = "Array dimension number "+numDimensionsUnsigned+"
is not in [1; 31] range";
throw new IllegalPropertySetDataException(msg);
}
-
+
int numDimensions = (int) numDimensionsUnsigned;
_dimensions = new ArrayDimension[numDimensions];
@@ -86,6 +88,8 @@ public class Array
}
int numberOfScalars = (int) numberOfScalarsLong;
+ IOUtils.safelyAllocateCheck(numberOfScalars,
MAX_NUMBER_OF_ARRAY_SCALARS);
+
_values = new TypedPropertyValue[numberOfScalars];
int paddedType = (_header._type == Variant.VT_VARIANT) ? 0 :
_header._type;
for ( int i = 0; i < numberOfScalars; i++ ) {
Modified:
poi/trunk/poi/src/test/java/org/apache/poi/hssf/dev/TestBiffViewer.java
URL:
http://svn.apache.org/viewvc/poi/trunk/poi/src/test/java/org/apache/poi/hssf/dev/TestBiffViewer.java?rev=1899749&r1=1899748&r2=1899749&view=diff
==============================================================================
--- poi/trunk/poi/src/test/java/org/apache/poi/hssf/dev/TestBiffViewer.java
(original)
+++ poi/trunk/poi/src/test/java/org/apache/poi/hssf/dev/TestBiffViewer.java Mon
Apr 11 13:51:31 2022
@@ -40,6 +40,8 @@ class TestBiffViewer extends BaseTestIte
excludes.put("XRefCalc.xls", RuntimeException.class);
excludes.put("61300.xls", IndexOutOfBoundsException.class);
+ excludes.put("poi-fuzz.xls", RecordFormatException.class);
+
return excludes;
}
Added: poi/trunk/test-data/spreadsheet/poi-fuzz.xls
URL:
http://svn.apache.org/viewvc/poi/trunk/test-data/spreadsheet/poi-fuzz.xls?rev=1899749&view=auto
==============================================================================
Binary files poi/trunk/test-data/spreadsheet/poi-fuzz.xls (added) and
poi/trunk/test-data/spreadsheet/poi-fuzz.xls Mon Apr 11 13:51:31 2022 differ
Modified: poi/trunk/test-data/spreadsheet/stress.xls
URL:
http://svn.apache.org/viewvc/poi/trunk/test-data/spreadsheet/stress.xls?rev=1899749&r1=1899748&r2=1899749&view=diff
==============================================================================
Binary files - no diff available.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
