svn commit: r1496520 - /poi/trunk/src/scratchpad/src/org/apache/poi/hslf/record/StyleTextPropAtom.java

Tue, 25 Jun 2013 08:50:44 -0700 

Author: nick
Date: Tue Jun 25 15:49:45 2013
New Revision: 1496520

URL: http://svn.apache.org/r1496520
Log:
Sanity check the length, logging and truncating if too long, to avoid a 
StringIndexOutOfBoundsException (bug #54925)

Modified:
    
poi/trunk/src/scratchpad/src/org/apache/poi/hslf/record/StyleTextPropAtom.java

Modified: 
poi/trunk/src/scratchpad/src/org/apache/poi/hslf/record/StyleTextPropAtom.java
URL: 
http://svn.apache.org/viewvc/poi/trunk/src/scratchpad/src/org/apache/poi/hslf/record/StyleTextPropAtom.java?rev=1496520&r1=1496519&r2=1496520&view=diff
==============================================================================
--- 
poi/trunk/src/scratchpad/src/org/apache/poi/hslf/record/StyleTextPropAtom.java 
(original)
+++ 
poi/trunk/src/scratchpad/src/org/apache/poi/hslf/record/StyleTextPropAtom.java 
Tue Jun 25 15:49:45 2013
@@ -273,6 +273,7 @@ public final class StyleTextPropAtom ext
         while(pos < rawContents.length && textHandled < prsize) {
             // First up, fetch the number of characters this applies to
             int textLen = LittleEndian.getInt(rawContents,pos);
+            textLen = checkTextLength(textLen, textHandled, size);
             textHandled += textLen;
             pos += 4;
 
@@ -308,6 +309,7 @@ public final class StyleTextPropAtom ext
         while(pos < rawContents.length && textHandled < chsize) {
             // First up, fetch the number of characters this applies to
             int textLen = LittleEndian.getInt(rawContents,pos);
+            textLen = checkTextLength(textLen, textHandled, size);
             textHandled += textLen;
             pos += 4;
 
@@ -345,6 +347,15 @@ public final class StyleTextPropAtom ext
 
         initialised = true;
     }
+    
+    private int checkTextLength(int readLength, int handledSoFar, int 
overallSize) {
+        if (readLength + handledSoFar > overallSize + 1) {
+            logger.log(POILogger.WARN, "Style length of " + readLength + " at 
" + handledSoFar + 
+                    " larger than stated size of " + overallSize + ", 
truncating");
+            return overallSize + 1 - handledSoFar;
+        }
+        return readLength;
+    }
 
 
     /**



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to