Author: centic Date: Sun Sep 17 14:38:24 2023 New Revision: 1912365 URL: http://svn.apache.org/viewvc?rev=1912365&view=rev Log: Bug 66425: Avoid NullPointerExceptions and ClassCastExceptions found via poi-fuzz
We try to avoid throwing NullPointerException and ClassCastExceptions, but it was possible to trigger them Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62414 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62442 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62450 Added: poi/trunk/test-data/document/clusterfuzz-testcase-minimized-POIXWPFFuzzer-5313273089884160.docx (with props) poi/trunk/test-data/slideshow/clusterfuzz-testcase-minimized-POIFuzzer-5681320547975168.ppt (with props) poi/trunk/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-6360479850954752.ppt (with props) Modified: poi/trunk/poi-ooxml/src/main/java/org/apache/poi/xwpf/usermodel/XWPFComment.java poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/dev/PPTXMLDump.java poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/dev/SlideShowDumper.java poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/record/DocumentEncryptionAtom.java poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/BaseTestPPTIterating.java poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestPPDrawingTextListing.java poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestPPTXMLDump.java poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideIdListing.java poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideShowDumper.java poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideShowRecordDumper.java poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestUserEditAndPersistListing.java poi/trunk/poi/src/main/java/org/apache/poi/poifs/crypt/agile/AgileEncryptionHeader.java poi/trunk/test-data/spreadsheet/stress.xls Modified: poi/trunk/poi-ooxml/src/main/java/org/apache/poi/xwpf/usermodel/XWPFComment.java URL: http://svn.apache.org/viewvc/poi/trunk/poi-ooxml/src/main/java/org/apache/poi/xwpf/usermodel/XWPFComment.java?rev=1912365&r1=1912364&r2=1912365&view=diff ============================================================================== --- poi/trunk/poi-ooxml/src/main/java/org/apache/poi/xwpf/usermodel/XWPFComment.java (original) +++ poi/trunk/poi-ooxml/src/main/java/org/apache/poi/xwpf/usermodel/XWPFComment.java Sun Sep 17 14:38:24 2023 @@ -21,6 +21,7 @@ import org.apache.xmlbeans.XmlCursor; import org.apache.xmlbeans.XmlObject; import org.openxmlformats.schemas.wordprocessingml.x2006.main.*; +import java.math.BigInteger; import java.util.ArrayList; import java.util.Calendar; import java.util.Collections; @@ -361,7 +362,8 @@ public class XWPFComment implements IBod * @return string id */ public String getId() { - return ctComment.getId().toString(); + final BigInteger id = ctComment.getId(); + return id == null ? "-1" : id.toString(); } /** Modified: poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/dev/PPTXMLDump.java URL: http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/dev/PPTXMLDump.java?rev=1912365&r1=1912364&r2=1912365&view=diff ============================================================================== --- poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/dev/PPTXMLDump.java (original) +++ poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/dev/PPTXMLDump.java Sun Sep 17 14:38:24 2023 @@ -17,6 +17,7 @@ package org.apache.poi.hslf.dev; +import java.io.BufferedWriter; import java.io.File; import java.io.FileOutputStream; import java.io.IOException; @@ -26,7 +27,6 @@ import java.io.Writer; import java.nio.charset.StandardCharsets; import java.util.Arrays; -import org.apache.commons.io.output.StringBuilderWriter; import org.apache.commons.io.output.UnsynchronizedByteArrayOutputStream; import org.apache.poi.hslf.record.RecordTypes; import org.apache.poi.hslf.usermodel.HSLFSlideShow; @@ -122,6 +122,11 @@ public final class PPTXMLDump { int size = (int)LittleEndian.getUInt(data, pos); pos += LittleEndianConsts.INT_SIZE; + if (size < 0) { + // stop processing of invalid header data + continue; + } + //get name of the record by type String recname = RecordTypes.forTypeID(type).name(); write(out, "<"+recname + " info=\""+info+"\" type=\""+type+"\" size=\""+size+"\" offset=\""+(pos-8)+"\"", padding); @@ -214,12 +219,10 @@ public final class PPTXMLDump { dump.dump(out); out.close(); } else { - StringBuilderWriter out = new StringBuilderWriter(1024); - dump.dump(out); - System.out.println(out); + dump.dump(new BufferedWriter( + new OutputStreamWriter(System.out, StandardCharsets.UTF_8))); } } - } } Modified: poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/dev/SlideShowDumper.java URL: http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/dev/SlideShowDumper.java?rev=1912365&r1=1912364&r2=1912365&view=diff ============================================================================== --- poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/dev/SlideShowDumper.java (original) +++ poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/dev/SlideShowDumper.java Sun Sep 17 14:38:24 2023 @@ -194,6 +194,11 @@ public final class SlideShowDumper { pos += 8; out.printf(Locale.ROOT, ind + "That's a %2$s%n", "", recordName); + if (len < 0 /*|| len > Integer.MAX_VALUE*/) { + // stop processing of invalid header data + continue; + } + // Now check if it's a container or not int container = opt & 0x0f; @@ -219,7 +224,7 @@ public final class SlideShowDumper { } } - pos += (int) len; + pos += (int) Math.min(len, Integer.MAX_VALUE); } } Modified: poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/record/DocumentEncryptionAtom.java URL: http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/record/DocumentEncryptionAtom.java?rev=1912365&r1=1912364&r2=1912365&view=diff ============================================================================== --- poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/record/DocumentEncryptionAtom.java (original) +++ poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/record/DocumentEncryptionAtom.java Sun Sep 17 14:38:24 2023 @@ -26,8 +26,10 @@ import java.util.function.Supplier; import org.apache.poi.EncryptedDocumentException; import org.apache.poi.poifs.crypt.CipherAlgorithm; +import org.apache.poi.poifs.crypt.EncryptionHeader; import org.apache.poi.poifs.crypt.EncryptionInfo; import org.apache.poi.poifs.crypt.EncryptionMode; +import org.apache.poi.poifs.crypt.EncryptionVerifier; import org.apache.poi.poifs.crypt.HashAlgorithm; import org.apache.poi.poifs.crypt.cryptoapi.CryptoAPIEncryptionHeader; import org.apache.poi.poifs.crypt.cryptoapi.CryptoAPIEncryptionVerifier; @@ -118,8 +120,16 @@ public final class DocumentEncryptionAto bos.writeShort(ei.getVersionMinor()); bos.writeInt(ei.getEncryptionFlags()); - ((CryptoAPIEncryptionHeader)ei.getHeader()).write(bos); - ((CryptoAPIEncryptionVerifier)ei.getVerifier()).write(bos); + final EncryptionHeader header = ei.getHeader(); + if (!(header instanceof CryptoAPIEncryptionHeader)) { + throw new IllegalStateException("Had unexpected type of header: " + header.getClass()); + } + ((CryptoAPIEncryptionHeader) header).write(bos); + final EncryptionVerifier verifier = ei.getVerifier(); + if (!(verifier instanceof CryptoAPIEncryptionVerifier)) { + throw new IllegalStateException("Had unexpected type of verifier: " + verifier.getClass()); + } + ((CryptoAPIEncryptionVerifier) verifier).write(bos); // Header LittleEndian.putInt(_header, 4, bos.getWriteIndex()); Modified: poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/BaseTestPPTIterating.java URL: http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/BaseTestPPTIterating.java?rev=1912365&r1=1912364&r2=1912365&view=diff ============================================================================== --- poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/BaseTestPPTIterating.java (original) +++ poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/BaseTestPPTIterating.java Sun Sep 17 14:38:24 2023 @@ -64,6 +64,7 @@ public abstract class BaseTestPPTIterati EXCLUDED.put("clusterfuzz-testcase-minimized-POIHSLFFuzzer-6416153805979648.ppt", Exception.class); EXCLUDED.put("clusterfuzz-testcase-minimized-POIHSLFFuzzer-6710128412590080.ppt", RuntimeException.class); EXCLUDED.put("clusterfuzz-testcase-minimized-POIFuzzer-5429732352851968.ppt", FileNotFoundException.class); + EXCLUDED.put("clusterfuzz-testcase-minimized-POIFuzzer-5681320547975168.ppt", FileNotFoundException.class); } public static Stream<Arguments> files() { Modified: poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestPPDrawingTextListing.java URL: http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestPPDrawingTextListing.java?rev=1912365&r1=1912364&r2=1912365&view=diff ============================================================================== --- poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestPPDrawingTextListing.java (original) +++ poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestPPDrawingTextListing.java Sun Sep 17 14:38:24 2023 @@ -19,12 +19,20 @@ package org.apache.poi.hslf.dev; import static org.junit.jupiter.api.Assertions.assertThrows; import java.io.File; +import java.io.FileNotFoundException; import java.io.IOException; +import java.util.HashSet; +import java.util.Set; import org.apache.poi.EmptyFileException; import org.junit.jupiter.api.Test; public class TestPPDrawingTextListing extends BaseTestPPTIterating { + static final Set<String> LOCAL_EXCLUDED = new HashSet<>(); + static { + LOCAL_EXCLUDED.add("clusterfuzz-testcase-minimized-POIFuzzer-5681320547975168.ppt"); + } + @Test void testMain() throws IOException { // calls System.exit(): PPDrawingTextListing.main(new String[0]); @@ -33,6 +41,17 @@ public class TestPPDrawingTextListing ex @Override void runOneFile(File pFile) throws Exception { - PPDrawingTextListing.main(new String[]{pFile.getAbsolutePath()}); + try { + PPDrawingTextListing.main(new String[]{pFile.getAbsolutePath()}); + } catch (IndexOutOfBoundsException | IOException e) { + if (!LOCAL_EXCLUDED.contains(pFile.getName())) { + throw e; + } + } + + // work around one file which works here but not in other tests + if (pFile.getName().equals("clusterfuzz-testcase-minimized-POIFuzzer-5681320547975168.ppt")) { + throw new FileNotFoundException(); + } } } Modified: poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestPPTXMLDump.java URL: http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestPPTXMLDump.java?rev=1912365&r1=1912364&r2=1912365&view=diff ============================================================================== --- poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestPPTXMLDump.java (original) +++ poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestPPTXMLDump.java Sun Sep 17 14:38:24 2023 @@ -34,6 +34,8 @@ public class TestPPTXMLDump extends Base static { LOCAL_EXCLUDED.add("clusterfuzz-testcase-minimized-POIHSLFFuzzer-5306877435838464.ppt"); LOCAL_EXCLUDED.add("clusterfuzz-testcase-minimized-POIHSLFFuzzer-6032591399288832.ppt"); + LOCAL_EXCLUDED.add("clusterfuzz-testcase-minimized-POIHSLFFuzzer-6360479850954752.ppt"); + LOCAL_EXCLUDED.add("ppt_with_png_encrypted.ppt"); } @Test @@ -52,14 +54,18 @@ public class TestPPTXMLDump extends Base void runOneFile(File pFile) throws Exception { try { PPTXMLDump.main(new String[]{pFile.getAbsolutePath()}); + if (LOCAL_EXCLUDED.contains(pFile.getName())) { + throw new IllegalStateException("Expected failure for file " + pFile + ", but processing did not throw an exception"); + } } catch (IndexOutOfBoundsException | IOException e) { if (!LOCAL_EXCLUDED.contains(pFile.getName())) { throw e; } } - // work around one file which works here but not in other tests - if (pFile.getName().equals("clusterfuzz-testcase-minimized-POIFuzzer-5429732352851968.ppt")) { + // work around two files which works here but not in other tests + if (pFile.getName().equals("clusterfuzz-testcase-minimized-POIFuzzer-5429732352851968.ppt") || + pFile.getName().equals("clusterfuzz-testcase-minimized-POIFuzzer-5681320547975168.ppt")) { throw new FileNotFoundException(); } } Modified: poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideIdListing.java URL: http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideIdListing.java?rev=1912365&r1=1912364&r2=1912365&view=diff ============================================================================== --- poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideIdListing.java (original) +++ poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideIdListing.java Sun Sep 17 14:38:24 2023 @@ -31,6 +31,7 @@ public class TestSlideIdListing extends static final Set<String> LOCAL_EXCLUDED = new HashSet<>(); static { LOCAL_EXCLUDED.add("clusterfuzz-testcase-minimized-POIHSLFFuzzer-5306877435838464.ppt"); + LOCAL_EXCLUDED.add("clusterfuzz-testcase-minimized-POIHSLFFuzzer-6360479850954752.ppt"); } @Test @@ -46,7 +47,7 @@ public class TestSlideIdListing extends void runOneFile(File pFile) throws Exception { try { SlideIdListing.main(new String[]{pFile.getAbsolutePath()}); - } catch (IllegalArgumentException e) { + } catch (RuntimeException e) { if (!LOCAL_EXCLUDED.contains(pFile.getName())) { throw e; } Modified: poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideShowDumper.java URL: http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideShowDumper.java?rev=1912365&r1=1912364&r2=1912365&view=diff ============================================================================== --- poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideShowDumper.java (original) +++ poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideShowDumper.java Sun Sep 17 14:38:24 2023 @@ -38,6 +38,7 @@ public class TestSlideShowDumper extends FAILING.add("cryptoapi-proc2356.ppt"); FAILING.add("41384.ppt"); FAILING.add("bug56240.ppt"); + FAILING.add("clusterfuzz-testcase-minimized-POIHSLFFuzzer-6360479850954752.ppt"); } @Test @@ -66,7 +67,7 @@ public class TestSlideShowDumper extends } } catch (FileNotFoundException e) { // some old files are not detected correctly - if(!OLD_FILES.contains(pFile.getName())) { + if(!FAILING.contains(pFile.getName()) && !OLD_FILES.contains(pFile.getName())) { throw e; } } Modified: poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideShowRecordDumper.java URL: http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideShowRecordDumper.java?rev=1912365&r1=1912364&r2=1912365&view=diff ============================================================================== --- poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideShowRecordDumper.java (original) +++ poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideShowRecordDumper.java Sun Sep 17 14:38:24 2023 @@ -20,12 +20,19 @@ import static org.junit.jupiter.api.Asse import java.io.File; import java.io.IOException; +import java.util.HashSet; +import java.util.Set; import org.apache.poi.EmptyFileException; import org.apache.poi.hslf.HSLFTestDataSamples; import org.junit.jupiter.api.Test; public class TestSlideShowRecordDumper extends BaseTestPPTIterating { + static final Set<String> LOCAL_EXCLUDED = new HashSet<>(); + static { + LOCAL_EXCLUDED.add("clusterfuzz-testcase-minimized-POIHSLFFuzzer-6360479850954752.ppt"); + } + @Test void testMain() throws IOException { SlideShowRecordDumper.main(new String[] { @@ -47,6 +54,12 @@ public class TestSlideShowRecordDumper e @Override void runOneFile(File pFile) throws Exception { - SlideShowRecordDumper.main(new String[]{pFile.getAbsolutePath()}); + try { + SlideShowRecordDumper.main(new String[]{pFile.getAbsolutePath()}); + } catch (IllegalStateException e) { + if (!LOCAL_EXCLUDED.contains(pFile.getName())) { + throw e; + } + } } } \ No newline at end of file Modified: poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestUserEditAndPersistListing.java URL: http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestUserEditAndPersistListing.java?rev=1912365&r1=1912364&r2=1912365&view=diff ============================================================================== --- poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestUserEditAndPersistListing.java (original) +++ poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestUserEditAndPersistListing.java Sun Sep 17 14:38:24 2023 @@ -20,11 +20,18 @@ import static org.junit.jupiter.api.Asse import java.io.File; import java.io.IOException; +import java.util.HashSet; +import java.util.Set; import org.apache.poi.EmptyFileException; import org.junit.jupiter.api.Test; public class TestUserEditAndPersistListing extends BaseTestPPTIterating { + static final Set<String> LOCAL_EXCLUDED = new HashSet<>(); + static { + LOCAL_EXCLUDED.add("clusterfuzz-testcase-minimized-POIHSLFFuzzer-6360479850954752.ppt"); + } + @Test void testMain() throws IOException { // calls System.exit(): UserEditAndPersistListing.main(new String[0]); @@ -33,6 +40,12 @@ public class TestUserEditAndPersistListi @Override void runOneFile(File pFile) throws Exception { - UserEditAndPersistListing.main(new String[]{pFile.getAbsolutePath()}); + try { + UserEditAndPersistListing.main(new String[]{pFile.getAbsolutePath()}); + } catch (IllegalStateException e) { + if (!LOCAL_EXCLUDED.contains(pFile.getName())) { + throw e; + } + } } } \ No newline at end of file Modified: poi/trunk/poi/src/main/java/org/apache/poi/poifs/crypt/agile/AgileEncryptionHeader.java URL: http://svn.apache.org/viewvc/poi/trunk/poi/src/main/java/org/apache/poi/poifs/crypt/agile/AgileEncryptionHeader.java?rev=1912365&r1=1912364&r2=1912365&view=diff ============================================================================== --- poi/trunk/poi/src/main/java/org/apache/poi/poifs/crypt/agile/AgileEncryptionHeader.java (original) +++ poi/trunk/poi/src/main/java/org/apache/poi/poifs/crypt/agile/AgileEncryptionHeader.java Sun Sep 17 14:38:24 2023 @@ -61,7 +61,7 @@ public class AgileEncryptionHeader exten setFlags(0); setSizeExtra(0); setCspName(null); - setBlockSize(keyData.getBlockSize()); + setBlockSize(keyData.getBlockSize() == null ? 0 : keyData.getBlockSize()); setChainingMode(keyData.getCipherChaining()); Added: poi/trunk/test-data/document/clusterfuzz-testcase-minimized-POIXWPFFuzzer-5313273089884160.docx URL: http://svn.apache.org/viewvc/poi/trunk/test-data/document/clusterfuzz-testcase-minimized-POIXWPFFuzzer-5313273089884160.docx?rev=1912365&view=auto ============================================================================== Binary file - no diff available. Propchange: poi/trunk/test-data/document/clusterfuzz-testcase-minimized-POIXWPFFuzzer-5313273089884160.docx ------------------------------------------------------------------------------ --- svn:mime-type (added) +++ svn:mime-type Sun Sep 17 14:38:24 2023 @@ -0,0 +1 @@ +application/vnd.openxmlformats-officedocument.wordprocessingml.document Added: poi/trunk/test-data/slideshow/clusterfuzz-testcase-minimized-POIFuzzer-5681320547975168.ppt URL: http://svn.apache.org/viewvc/poi/trunk/test-data/slideshow/clusterfuzz-testcase-minimized-POIFuzzer-5681320547975168.ppt?rev=1912365&view=auto ============================================================================== Binary file - no diff available. Propchange: poi/trunk/test-data/slideshow/clusterfuzz-testcase-minimized-POIFuzzer-5681320547975168.ppt ------------------------------------------------------------------------------ svn:mime-type = application/vnd.ms-powerpoint Added: poi/trunk/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-6360479850954752.ppt URL: http://svn.apache.org/viewvc/poi/trunk/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-6360479850954752.ppt?rev=1912365&view=auto ============================================================================== Binary file - no diff available. Propchange: poi/trunk/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-6360479850954752.ppt ------------------------------------------------------------------------------ svn:mime-type = application/vnd.ms-powerpoint Modified: poi/trunk/test-data/spreadsheet/stress.xls URL: http://svn.apache.org/viewvc/poi/trunk/test-data/spreadsheet/stress.xls?rev=1912365&r1=1912364&r2=1912365&view=diff ============================================================================== Binary files - no diff available. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
