Author: centic Date: Wed Aug 9 05:45:21 2023 New Revision: 1911563 URL: http://svn.apache.org/viewvc?rev=1911563&view=rev Log: Bug 66425: Avoid a StackOverflowException found via oss-fuzz
We try to avoid causing StackOverflow, but it was possible to trigger one here with a specially crafted input-file. This puts a limit on the number of nested properties in place and logs a warning when the StyleSheet is not fully parsed. Should fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61252 Added: poi/trunk/test-data/document/clusterfuzz-testcase-minimized-POIHWPFFuzzer-4947285593948160.doc (with props) Modified: poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/StyleSheet.java poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java poi/trunk/test-data/spreadsheet/stress.xls Modified: poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/StyleSheet.java URL: http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/StyleSheet.java?rev=1911563&r1=1911562&r2=1911563&view=diff ============================================================================== --- poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/StyleSheet.java (original) +++ poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/StyleSheet.java Wed Aug 9 05:45:21 2023 @@ -20,6 +20,8 @@ package org.apache.poi.hwpf.model; import java.io.IOException; import java.io.OutputStream; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.apache.poi.hwpf.sprm.CharacterSprmUncompressor; import org.apache.poi.hwpf.sprm.ParagraphSprmUncompressor; import org.apache.poi.hwpf.usermodel.CharacterProperties; @@ -39,6 +41,7 @@ import org.apache.poi.util.LittleEndianC */ @Internal public final class StyleSheet { + private static final Logger LOG = LogManager.getLogger(StyleSheet.class); public static final int NIL_STYLE = 4095; // private static final int PAP_TYPE = 1; @@ -46,6 +49,9 @@ public final class StyleSheet { // private static final int SEP_TYPE = 4; // private static final int TAP_TYPE = 5; + private static final int MAX_PAPX_NESTING = 1000; + private static final int MAX_CHPX_NESTING = 1000; + @Deprecated private static final ParagraphProperties NIL_PAP = new ParagraphProperties(); @Deprecated @@ -114,8 +120,8 @@ public final class StyleSheet { } for (int x = 0; x < _styleDescriptions.length; x++) { if (_styleDescriptions[x] != null) { - createPap(x); - createChp(x); + createPap(x, 0); + createChp(x, 0); } } } @@ -203,7 +209,14 @@ public final class StyleSheet { * ParagraphProperties from (and also place the finished PAP in) */ @Deprecated - private void createPap(int istd) { + private void createPap(int istd, int nesting) { + if (nesting > MAX_PAPX_NESTING) { + LOG.warn("Encountered too deep nesting, cannot fully process stylesheet at " + istd + + " with more than " + MAX_PAPX_NESTING + " nested ParagraphProperties." + + " Some data could not be parsed."); + return; + } + StyleDescription sd = _styleDescriptions[istd]; if (sd == null) { throw new IllegalStateException("Cannot create Pap, empty styleDescription, had : " + _styleDescriptions.length + " descriptions"); @@ -227,7 +240,7 @@ public final class StyleSheet { throw new IllegalStateException("Pap style " + istd + " claimed to have itself as its parent, which isn't allowed"); } // Create the parent style - createPap(baseIndex); + createPap(baseIndex, nesting+1); parentPAP = styleDescription.getPAP(); } @@ -253,7 +266,14 @@ public final class StyleSheet { * CharacterProperties object from. */ @Deprecated - private void createChp(int istd) { + private void createChp(int istd, int nesting) { + if (nesting > MAX_CHPX_NESTING) { + LOG.warn("Encountered too deep nesting, cannot fully process stylesheet at " + istd + + " with more than " + MAX_CHPX_NESTING + " nested CharacterProperties." + + " Some data could not be parsed."); + return; + } + StyleDescription sd = _styleDescriptions[istd]; if (sd == null) { throw new IllegalStateException("Cannot create Chp, empty styleDescription, had : " + _styleDescriptions.length + " descriptions"); @@ -282,7 +302,7 @@ public final class StyleSheet { parentCHP = styleDescription.getCHP(); if (parentCHP == null) { - createChp(baseIndex); + createChp(baseIndex, nesting + 1); parentCHP = styleDescription.getCHP(); } if (parentCHP == null) { Modified: poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java URL: http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java?rev=1911563&r1=1911562&r2=1911563&view=diff ============================================================================== --- poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java (original) +++ poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java Wed Aug 9 05:45:21 2023 @@ -58,7 +58,8 @@ public class TestWordToConverterSuite // Corrupt files "Fuzzed.doc", "clusterfuzz-testcase-minimized-POIHWPFFuzzer-5418937293340672.doc", - "TestHPSFWritingFunctionality.doc" + "TestHPSFWritingFunctionality.doc", + "clusterfuzz-testcase-minimized-POIHWPFFuzzer-4947285593948160.doc" ); public static Stream<Arguments> files() { Modified: poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java URL: http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java?rev=1911563&r1=1911562&r2=1911563&view=diff ============================================================================== --- poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java (original) +++ poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java Wed Aug 9 05:45:21 2023 @@ -50,7 +50,8 @@ public class TestWordToTextConverter { "TestRobert_Flaherty.doc", // Corrupt files "clusterfuzz-testcase-minimized-POIHWPFFuzzer-5418937293340672.doc", - "TestHPSFWritingFunctionality.doc" + "TestHPSFWritingFunctionality.doc", + "clusterfuzz-testcase-minimized-POIHWPFFuzzer-4947285593948160.doc" ); /** Added: poi/trunk/test-data/document/clusterfuzz-testcase-minimized-POIHWPFFuzzer-4947285593948160.doc URL: http://svn.apache.org/viewvc/poi/trunk/test-data/document/clusterfuzz-testcase-minimized-POIHWPFFuzzer-4947285593948160.doc?rev=1911563&view=auto ============================================================================== Binary file - no diff available. Propchange: poi/trunk/test-data/document/clusterfuzz-testcase-minimized-POIHWPFFuzzer-4947285593948160.doc ------------------------------------------------------------------------------ svn:mime-type = application/msword Modified: poi/trunk/test-data/spreadsheet/stress.xls URL: http://svn.apache.org/viewvc/poi/trunk/test-data/spreadsheet/stress.xls?rev=1911563&r1=1911562&r2=1911563&view=diff ============================================================================== Binary files - no diff available. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
