Author: centic
Date: Sun Mar 20 06:52:38 2022
New Revision: 1899070
URL: http://svn.apache.org/viewvc?rev=1899070&view=rev
Log:
Fix issues found when fuzzing Apache POI via Jazzer
Replace assertions with actual checks when input-data
can trigger them. We would not handle such
input-data properly otherwise.
Sometimes logging seems a better option if the issue
is not blocking us from parsing the document anyway
Modified:
poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/record/PPDrawing.java
poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/record/SSSlideInfoAtom.java
poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/record/UserEditAtom.java
poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowEncrypted.java
poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/OfficeArtContent.java
poi/trunk/poi/src/main/java/org/apache/poi/hssf/record/RecordInputStream.java
Modified:
poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/record/PPDrawing.java
URL:
http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/record/PPDrawing.java?rev=1899070&r1=1899069&r2=1899070&view=diff
==============================================================================
---
poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/record/PPDrawing.java
(original)
+++
poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/record/PPDrawing.java
Sun Mar 20 06:52:38 2022
@@ -129,7 +129,9 @@ public final class PPDrawing extends Rec
// Build up a tree of Escher records contained within
final DefaultEscherRecordFactory erf = new HSLFEscherRecordFactory();
dgContainer.fillFields(source, start + 8, erf);
- assert dgContainer.getRecordId() ==
EscherRecordTypes.DG_CONTAINER.typeID;
+ if (dgContainer.getRecordId() !=
EscherRecordTypes.DG_CONTAINER.typeID) {
+ throw new IllegalArgumentException("Unexpected record
type: " + dgContainer.getRecordId());
+ }
dg = dgContainer.getChildById(EscherRecordTypes.DG.typeID);
textboxWrappers = Stream.of(dgContainer).
Modified:
poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/record/SSSlideInfoAtom.java
URL:
http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/record/SSSlideInfoAtom.java?rev=1899070&r1=1899069&r2=1899070&view=diff
==============================================================================
---
poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/record/SSSlideInfoAtom.java
(original)
+++
poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/record/SSSlideInfoAtom.java
Sun Mar 20 06:52:38 2022
@@ -198,13 +198,23 @@ public class SSSlideInfoAtom extends Rec
_header = Arrays.copyOfRange(source, ofs, ofs+8);
ofs += _header.length;
- assert(LittleEndian.getShort(_header, 0) == 0);
- assert(LittleEndian.getShort(_header, 2) ==
RecordTypes.SSSlideInfoAtom.typeID);
- assert(LittleEndian.getShort(_header, 4) == 0x10);
- assert(LittleEndian.getShort(_header, 6) == 0);
+ if (LittleEndian.getShort(_header, 0) != 0) {
+ LOG.atDebug().log("Invalid data for SSSlideInfoAtom at
offset 0: " + LittleEndian.getShort(_header, 0));
+ }
+ if (LittleEndian.getShort(_header, 2) !=
RecordTypes.SSSlideInfoAtom.typeID) {
+ LOG.atDebug().log("Invalid data for SSSlideInfoAtom at
offset 2: "+ LittleEndian.getShort(_header, 2));
+ }
+ if (LittleEndian.getShort(_header, 4) != 0x10) {
+ LOG.atDebug().log("Invalid data for SSSlideInfoAtom at
offset 4: "+ LittleEndian.getShort(_header, 4));
+ }
+ if (LittleEndian.getShort(_header, 6) == 0) {
+ LOG.atDebug().log("Invalid data for SSSlideInfoAtom at
offset 6: "+ LittleEndian.getShort(_header, 6));
+ }
_slideTime = LittleEndian.getInt(source, ofs);
- assert(0 <= _slideTime && _slideTime <= 86399000);
+ if (_slideTime < 0 || _slideTime > 86399000) {
+ LOG.atDebug().log("Invalid data for SSSlideInfoAtom -
invalid slideTime: "+ _slideTime);
+ }
ofs += LittleEndianConsts.INT_SIZE;
_soundIdRef = LittleEndian.getInt(source, ofs);
ofs += LittleEndianConsts.INT_SIZE;
Modified:
poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/record/UserEditAtom.java
URL:
http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/record/UserEditAtom.java?rev=1899070&r1=1899069&r2=1899070&view=diff
==============================================================================
---
poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/record/UserEditAtom.java
(original)
+++
poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/record/UserEditAtom.java
Sun Mar 20 06:52:38 2022
@@ -136,7 +136,10 @@ public final class UserEditAtom extends
offset += LittleEndianConsts.INT_SIZE;
}
- assert(offset-start == len);
+ if(offset-start != len) {
+ throw new HSLFException("Having invalid data in
UserEditAtom: "
+ + "len: " + len + ", offset: " + offset
+ ", start: " + start);
+ }
}
/**
Modified:
poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowEncrypted.java
URL:
http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowEncrypted.java?rev=1899070&r1=1899069&r2=1899070&view=diff
==============================================================================
---
poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowEncrypted.java
(original)
+++
poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowEncrypted.java
Sun Mar 20 06:52:38 2022
@@ -73,7 +73,7 @@ public class HSLFSlideShowEncrypted impl
1, // unused2
1, // unused3
};
-
+
protected HSLFSlideShowEncrypted(DocumentEncryptionAtom dea) {
this.dea = dea;
}
@@ -116,8 +116,8 @@ public class HSLFSlideShowEncrypted impl
r = Record.buildRecordAtOffset(docstream, encOffset);
recordMap.put(encOffset, r);
}
- assert(r instanceof DocumentEncryptionAtom);
- this.dea = (DocumentEncryptionAtom)r;
+
+ this.dea = (DocumentEncryptionAtom)r;
String pass = Biff8EncryptionKey.getCurrentUserPassword();
EncryptionInfo ei = getEncryptionInfo();
@@ -205,7 +205,7 @@ public class HSLFSlideShowEncrypted impl
ccis.close();
lei.close();
}
-
+
protected void decryptPicture(byte[] pictstream, int offset) {
if (dea == null) {
return;
@@ -229,14 +229,14 @@ public class HSLFSlideShowEncrypted impl
decryptPicBytes(pictstream, offset, part);
}
offset += 36;
-
+
int cbName = LittleEndian.getUShort(pictstream, offset-3);
if (cbName > 0) {
// read nameData
decryptPicBytes(pictstream, offset, cbName);
offset += cbName;
}
-
+
if (offset == endOffset) {
return; // no embedded blip
}
@@ -267,7 +267,7 @@ public class HSLFSlideShowEncrypted impl
// tag
nextBytes = 1;
}
-
+
decryptPicBytes(pictstream, offset, nextBytes);
offset += nextBytes;
@@ -304,19 +304,19 @@ public class HSLFSlideShowEncrypted impl
// File BLIP Store Entry (FBSE)
int cbName = LittleEndian.getUShort(pictstream, offset+33);
-
+
for (int part : BLIB_STORE_ENTRY_PARTS) {
ccos.write(pictstream, offset, part);
ccos.flush();
offset += part;
}
-
+
if (cbName > 0) {
ccos.write(pictstream, offset, cbName);
ccos.flush();
offset += cbName;
}
-
+
if (offset == endOffset) {
return; // no embedded blip
}
Modified:
poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/OfficeArtContent.java
URL:
http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/OfficeArtContent.java?rev=1899070&r1=1899069&r2=1899070&view=diff
==============================================================================
---
poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/OfficeArtContent.java
(original)
+++
poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/OfficeArtContent.java
Sun Mar 20 06:52:38 2022
@@ -21,6 +21,7 @@ import java.util.ArrayList;
import java.util.List;
import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
import org.apache.poi.ddf.DefaultEscherRecordFactory;
import org.apache.poi.ddf.EscherContainerRecord;
import org.apache.poi.ddf.EscherRecord;
@@ -37,6 +38,7 @@ import static org.apache.logging.log4j.u
*/
@Internal
public final class OfficeArtContent {
+ protected static final Logger LOG =
LogManager.getLogger(OfficeArtContent.class);
/**
* {@link EscherRecordTypes#DGG_CONTAINER} containing drawing group
information for the document.
@@ -76,7 +78,9 @@ public final class OfficeArtContent {
EscherRecordFactory recordFactory = new DefaultEscherRecordFactory();
int pos = offset;
pos += drawingGroupData.fillFields(data, pos, recordFactory);
- assert drawingGroupData.getRecordId() ==
EscherRecordTypes.DGG_CONTAINER.typeID;
+ if (drawingGroupData.getRecordId() ==
EscherRecordTypes.DGG_CONTAINER.typeID) {
+ LOG.atDebug().log("Invalid record-id for filling Escher
records: " + drawingGroupData.getRecordId());
+ }
/*
* After the drawingGroupData there is an array (2 slots max) that has
data about drawings. According to the
@@ -92,12 +96,18 @@ public final class OfficeArtContent {
// Named this way to match section 2.9.172 of [MS-DOC] - v20191119.
byte dgglbl = data[pos];
- assert dgglbl == 0x00 || dgglbl == 0x01;
+
+ if (dgglbl != 0x00 && dgglbl != 0x01) {
+ throw new IllegalArgumentException("Invalid
dgglbl when filling Escher records: " + dgglbl);
+ }
pos++;
EscherContainerRecord dgContainer = new EscherContainerRecord();
pos+= dgContainer.fillFields(data, pos, recordFactory);
- assert dgContainer.getRecordId() ==
EscherRecordTypes.DG_CONTAINER.typeID;
+ if (dgContainer.getRecordId() !=
EscherRecordTypes.DG_CONTAINER.typeID) {
+ throw new IllegalArgumentException("Did have an
invalid record-type: " + dgContainer.getRecordId() +
+ " when filling Escher records");
+ }
switch (dgglbl) {
case 0x00:
@@ -112,7 +122,10 @@ public final class OfficeArtContent {
}
}
- assert pos == offset + size;
+ if (pos != offset + size) {
+ throw new IllegalStateException("Did not read all data
when filling Escher records: "
+ + "pos: " + pos + ", offset: " + offset
+ ", size: " + size);
+ }
}
private List<? extends EscherContainerRecord> getDgContainers() {
Modified:
poi/trunk/poi/src/main/java/org/apache/poi/hssf/record/RecordInputStream.java
URL:
http://svn.apache.org/viewvc/poi/trunk/poi/src/main/java/org/apache/poi/hssf/record/RecordInputStream.java?rev=1899070&r1=1899069&r2=1899070&view=diff
==============================================================================
---
poi/trunk/poi/src/main/java/org/apache/poi/hssf/record/RecordInputStream.java
(original)
+++
poi/trunk/poi/src/main/java/org/apache/poi/hssf/record/RecordInputStream.java
Sun Mar 20 06:52:38 2022
@@ -420,7 +420,9 @@ public final class RecordInputStream imp
nextRecord();
// note - the compressed flag may change on the fly
byte compressFlag = readByte();
- assert(compressFlag == 0 || compressFlag == 1);
+ if (compressFlag != 0 && compressFlag != 1) {
+ throw new RecordFormatException("Invalid
compressFlag: " + compressFlag);
+ }
isCompressedEncoding = (compressFlag == 0);
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
