Re: [PR] guard XSSFBUtils wide-string byte length against int overflow [poi]

Mon, 25 May 2026 07:36:39 -0700 


pjfanning commented on code in PR #1079:
URL: https://github.com/apache/poi/pull/1079#discussion_r3298712046


##########
poi-ooxml/src/main/java/org/apache/poi/xssf/binary/XSSFBUtils.java:
##########
@@ -47,15 +47,14 @@ static int readXLNullableWideString(byte[] data, int 
offset, StringBuilder sb) t
             throw new XSSFBParseException("too many chars to read");
         }
 
-        int numBytes = 2*(int)numChars;
+        long numBytes = 2L*numChars;
         offset += 4;
         if (offset+numBytes > data.length) {
             throw new XSSFBParseException("trying to read beyond data length: 
" +
              "offset="+offset+", numBytes="+numBytes+", 
data.length="+data.length);
         }
-        sb.append(new String(data, offset, numBytes, 
StandardCharsets.UTF_16LE));
-        numBytes+=4;
-        return numBytes;
+        sb.append(new String(data, offset, (int)numBytes, 
StandardCharsets.UTF_16LE));

Review Comment:
   you should validate before the cast in the sb.append params



##########
poi-ooxml/src/main/java/org/apache/poi/xssf/binary/XSSFBUtils.java:
##########
@@ -74,14 +73,13 @@ public static int readXLWideString(byte[] data, int offset, 
StringBuilder sb) th
         } else if (numChars > 0xFFFFFFFFL) {
             throw new XSSFBParseException("too many chars to read");
         }
-        int numBytes = 2*(int)numChars;
+        long numBytes = 2L*numChars;
         offset += 4;
         if (offset+numBytes > data.length) {
             throw new XSSFBParseException("trying to read beyond data length");
         }
-        sb.append(new String(data, offset, numBytes, 
StandardCharsets.UTF_16LE));
-        numBytes+=4;
-        return numBytes;
+        sb.append(new String(data, offset, (int)numBytes, 
StandardCharsets.UTF_16LE));

Review Comment:
   you should validate before the cast in the sb.append params



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to