Author: centic Date: Wed Aug 9 16:16:49 2023 New Revision: 1911577 URL: http://svn.apache.org/viewvc?rev=1911577&view=rev Log: Bug 66425: Avoid a StackOverflowException found via oss-fuzz
We try to avoid causing StackOverflow, but it was possible to trigger one here with a specially crafted input-file. This puts a limit on the number of nested children in place and logs a warning when the Stream is not fully parsed. Should fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61256 Added: poi/trunk/test-data/diagram/clusterfuzz-testcase-minimized-POIHDGFFuzzer-5947849161179136.vsd (with props) Modified: poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hdgf/streams/PointerContainingStream.java poi/trunk/test-data/spreadsheet/stress.xls Modified: poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hdgf/streams/PointerContainingStream.java URL: http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hdgf/streams/PointerContainingStream.java?rev=1911577&r1=1911576&r2=1911577&view=diff ============================================================================== --- poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hdgf/streams/PointerContainingStream.java (original) +++ poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hdgf/streams/PointerContainingStream.java Wed Aug 9 16:16:49 2023 @@ -17,6 +17,8 @@ package org.apache.poi.hdgf.streams; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.apache.poi.hdgf.chunks.ChunkFactory; import org.apache.poi.hdgf.pointers.Pointer; import org.apache.poi.hdgf.pointers.PointerFactory; @@ -26,11 +28,15 @@ import org.apache.poi.hdgf.pointers.Poin * other data too. */ public class PointerContainingStream extends Stream { // TODO - instantiable superclass - private Pointer[] childPointers; + private static final Logger LOG = LogManager.getLogger(PointerContainingStream.class); + + private static final int MAX_CHILDREN_NESTING = 1000; + + private final Pointer[] childPointers; private Stream[] childStreams; - private ChunkFactory chunkFactory; - private PointerFactory pointerFactory; + private final ChunkFactory chunkFactory; + private final PointerFactory pointerFactory; protected PointerContainingStream(Pointer pointer, StreamStore store, ChunkFactory chunkFactory, PointerFactory pointerFactory) { super(pointer, store); @@ -58,6 +64,17 @@ public class PointerContainingStream ext * those if appropriate. */ public void findChildren(byte[] documentData) { + findChildren(documentData, 0); + } + + private void findChildren(byte[] documentData, int nesting) { + if (nesting > MAX_CHILDREN_NESTING) { + LOG.warn("Encountered too deep nesting, cannot fully process stream " + + " with more than " + MAX_CHILDREN_NESTING + " nested children." + + " Some data could not be parsed."); + return; + } + // For each pointer, generate the Stream it points to childStreams = new Stream[childPointers.length]; for(int i=0; i<childPointers.length; i++) { @@ -74,7 +91,7 @@ public class PointerContainingStream ext if(childStreams[i] instanceof PointerContainingStream) { PointerContainingStream child = (PointerContainingStream)childStreams[i]; - child.findChildren(documentData); + child.findChildren(documentData, nesting + 1); } } } Added: poi/trunk/test-data/diagram/clusterfuzz-testcase-minimized-POIHDGFFuzzer-5947849161179136.vsd URL: http://svn.apache.org/viewvc/poi/trunk/test-data/diagram/clusterfuzz-testcase-minimized-POIHDGFFuzzer-5947849161179136.vsd?rev=1911577&view=auto ============================================================================== Binary file - no diff available. Propchange: poi/trunk/test-data/diagram/clusterfuzz-testcase-minimized-POIHDGFFuzzer-5947849161179136.vsd ------------------------------------------------------------------------------ svn:mime-type = application/vnd.visio Modified: poi/trunk/test-data/spreadsheet/stress.xls URL: http://svn.apache.org/viewvc/poi/trunk/test-data/spreadsheet/stress.xls?rev=1911577&r1=1911576&r2=1911577&view=diff ============================================================================== Binary files - no diff available. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
