Author: tallison
Date: Tue Jul 25 01:38:35 2017
New Revision: 1802879
URL: http://svn.apache.org/viewvc?rev=1802879&view=rev
Log:
61295 -- prevent potential oom in HPSF triggered by fuzzed file
Modified:
poi/site/src/documentation/content/xdocs/status.xml
poi/trunk/src/java/org/apache/poi/hpsf/Vector.java
Modified: poi/site/src/documentation/content/xdocs/status.xml
URL:
http://svn.apache.org/viewvc/poi/site/src/documentation/content/xdocs/status.xml?rev=1802879&r1=1802878&r2=1802879&view=diff
==============================================================================
--- poi/site/src/documentation/content/xdocs/status.xml (original)
+++ poi/site/src/documentation/content/xdocs/status.xml Tue Jul 25 01:38:35 2017
@@ -58,6 +58,7 @@
<release version="3.17-beta2" date="2017-09-??">
<actions>
+ <action dev="PD" type="fix" fixes-bug="61295" module="HPSF">Avoid OOM
in hpsf with corrupt file.</action>
<action dev="PD" type="add" fixes-bug="61331" module="SL Common">Font
group handling / common font interface</action>
<action dev="PD" type="fix" fixes-bug="61300" module="POIFS">Avoid
infinite loop with corrupt file.</action>
<action dev="PD" type="fix" fixes-bug="61286,61287"
module="HSSF">Handle zero-length headerfooter and 2 byte
WriteProtectRecord</action>
Modified: poi/trunk/src/java/org/apache/poi/hpsf/Vector.java
URL:
http://svn.apache.org/viewvc/poi/trunk/src/java/org/apache/poi/hpsf/Vector.java?rev=1802879&r1=1802878&r2=1802879&view=diff
==============================================================================
--- poi/trunk/src/java/org/apache/poi/hpsf/Vector.java (original)
+++ poi/trunk/src/java/org/apache/poi/hpsf/Vector.java Tue Jul 25 01:38:35 2017
@@ -16,6 +16,9 @@
==================================================================== */
package org.apache.poi.hpsf;
+import java.util.ArrayList;
+import java.util.List;
+
import org.apache.poi.util.Internal;
import org.apache.poi.util.LittleEndianByteArrayInputStream;
@@ -40,8 +43,11 @@ class Vector {
}
final int length = (int) longLength;
- _values = new TypedPropertyValue[length];
-
+ //BUG-61295 -- avoid OOM on corrupt file. Build list instead
+ //of allocating array of length "length".
+ //If the length is corrupted and crazily big but < Integer.MAX_VALUE,
+ //this will trigger a RuntimeException "Buffer overrun" in
lei.checkPosition
+ List<TypedPropertyValue> values = new ArrayList<TypedPropertyValue>();
int paddedType = (_type == Variant.VT_VARIANT) ? 0 : _type;
for ( int i = 0; i < length; i++ ) {
TypedPropertyValue value = new TypedPropertyValue(paddedType,
null);
@@ -50,8 +56,9 @@ class Vector {
} else {
value.readValue(lei);
}
- _values[i] = value;
+ values.add(value);
}
+ _values = values.toArray(new TypedPropertyValue[values.size()]);
}
TypedPropertyValue[] getValues(){
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
