Author: centic Date: Wed Sep 20 14:55:19 2023 New Revision: 1912433 URL: http://svn.apache.org/viewvc?rev=1912433&view=rev Log: Bug 66425: Avoid exceptions found via poi-fuzz
We try to avoid throwing NullPointerException, ClassCastExceptions and StackOverflowException, but it was possible to trigger them Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62530 and https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62491 Added: poi/trunk/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-5231088823566336.ppt (with props) poi/trunk/test-data/spreadsheet/clusterfuzz-testcase-minimized-POIHSSFFuzzer-5786329142919168.xls (with props) Modified: poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hwpf/converter/WordToTextConverter.java poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/BaseTestPPTIterating.java poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestPPTXMLDump.java poi/trunk/poi/src/main/java/org/apache/poi/hssf/record/CFRule12Record.java poi/trunk/poi/src/main/java/org/apache/poi/poifs/crypt/agile/PasswordKeyEncryptor.java poi/trunk/poi/src/test/java/org/apache/poi/hssf/dev/TestBiffViewer.java poi/trunk/poi/src/test/java/org/apache/poi/hssf/dev/TestFormulaViewer.java poi/trunk/poi/src/test/java/org/apache/poi/hssf/dev/TestRecordLister.java poi/trunk/poi/src/test/java/org/apache/poi/hssf/usermodel/TestHSSFWorkbook.java poi/trunk/test-data/spreadsheet/stress.xls Modified: poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hwpf/converter/WordToTextConverter.java URL: http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hwpf/converter/WordToTextConverter.java?rev=1912433&r1=1912432&r2=1912433&view=diff ============================================================================== --- poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hwpf/converter/WordToTextConverter.java (original) +++ poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hwpf/converter/WordToTextConverter.java Wed Sep 20 14:55:19 2023 @@ -54,7 +54,7 @@ import org.w3c.dom.Element; public class WordToTextConverter extends AbstractWordConverter { private static final Logger LOG = LogManager.getLogger(WordToTextConverter.class); - private static final int MAX_NESTED_CHILD_NODES = 400; + private static final int MAX_NESTED_CHILD_NODES = 300; public static String getText( DirectoryNode root ) throws Exception { Modified: poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/BaseTestPPTIterating.java URL: http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/BaseTestPPTIterating.java?rev=1912433&r1=1912432&r2=1912433&view=diff ============================================================================== --- poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/BaseTestPPTIterating.java (original) +++ poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/BaseTestPPTIterating.java Wed Sep 20 14:55:19 2023 @@ -35,7 +35,6 @@ import java.util.stream.Stream; import org.apache.poi.POIDataSamples; import org.apache.poi.hslf.exceptions.EncryptedPowerPointFileException; -import org.apache.poi.hslf.exceptions.HSLFException; import org.apache.poi.hslf.exceptions.OldPowerPointFormatException; import org.apache.poi.util.IOUtils; import org.apache.commons.io.output.NullPrintStream; @@ -67,6 +66,7 @@ public abstract class BaseTestPPTIterati EXCLUDED.put("clusterfuzz-testcase-minimized-POIFuzzer-5429732352851968.ppt", FileNotFoundException.class); EXCLUDED.put("clusterfuzz-testcase-minimized-POIFuzzer-5681320547975168.ppt", FileNotFoundException.class); EXCLUDED.put("clusterfuzz-testcase-minimized-POIHSLFFuzzer-5962760801091584.ppt", RuntimeException.class); + EXCLUDED.put("clusterfuzz-testcase-minimized-POIHSLFFuzzer-5231088823566336.ppt", FileNotFoundException.class); } public static Stream<Arguments> files() { Modified: poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestPPTXMLDump.java URL: http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestPPTXMLDump.java?rev=1912433&r1=1912432&r2=1912433&view=diff ============================================================================== --- poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestPPTXMLDump.java (original) +++ poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestPPTXMLDump.java Wed Sep 20 14:55:19 2023 @@ -65,7 +65,8 @@ public class TestPPTXMLDump extends Base // work around two files which works here but not in other tests if (pFile.getName().equals("clusterfuzz-testcase-minimized-POIFuzzer-5429732352851968.ppt") || - pFile.getName().equals("clusterfuzz-testcase-minimized-POIFuzzer-5681320547975168.ppt")) { + pFile.getName().equals("clusterfuzz-testcase-minimized-POIFuzzer-5681320547975168.ppt") || + pFile.getName().equals("clusterfuzz-testcase-minimized-POIHSLFFuzzer-5231088823566336.ppt")) { throw new FileNotFoundException(); } } Modified: poi/trunk/poi/src/main/java/org/apache/poi/hssf/record/CFRule12Record.java URL: http://svn.apache.org/viewvc/poi/trunk/poi/src/main/java/org/apache/poi/hssf/record/CFRule12Record.java?rev=1912433&r1=1912432&r2=1912433&view=diff ============================================================================== --- poi/trunk/poi/src/main/java/org/apache/poi/hssf/record/CFRule12Record.java (original) +++ poi/trunk/poi/src/main/java/org/apache/poi/hssf/record/CFRule12Record.java Wed Sep 20 14:55:19 2023 @@ -408,7 +408,9 @@ public final class CFRule12Record extend out.writeShort(priority); out.writeShort(template_type); out.writeByte(template_param_length); - out.write(template_params); + if (template_params != null) { + out.write(template_params); + } byte type = getConditionType(); if (type == CONDITION_TYPE_COLOR_SCALE) { @@ -432,7 +434,7 @@ public final class CFRule12Record extend len += getFormulaSize(getFormula1()); len += getFormulaSize(getFormula2()); len += 2 + getFormulaSize(formula_scale); - len += 6 + template_params.length; + len += 6 + (template_params == null ? 0 : template_params.length); byte type = getConditionType(); if (type == CONDITION_TYPE_COLOR_SCALE) { Modified: poi/trunk/poi/src/main/java/org/apache/poi/poifs/crypt/agile/PasswordKeyEncryptor.java URL: http://svn.apache.org/viewvc/poi/trunk/poi/src/main/java/org/apache/poi/poifs/crypt/agile/PasswordKeyEncryptor.java?rev=1912433&r1=1912432&r2=1912433&view=diff ============================================================================== --- poi/trunk/poi/src/main/java/org/apache/poi/poifs/crypt/agile/PasswordKeyEncryptor.java (original) +++ poi/trunk/poi/src/main/java/org/apache/poi/poifs/crypt/agile/PasswordKeyEncryptor.java Wed Sep 20 14:55:19 2023 @@ -109,7 +109,7 @@ public class PasswordKeyEncryptor { blockSize = getIntAttr(passwordKey, "blockSize"); keyBits = getIntAttr(passwordKey, "keyBits"); hashSize = getIntAttr(passwordKey, "hashSize"); - cipherAlgorithm = CipherAlgorithm.fromXmlId(passwordKey.getAttribute("cipherAlgorithm"), keyBits); + cipherAlgorithm = CipherAlgorithm.fromXmlId(passwordKey.getAttribute("cipherAlgorithm"), keyBits == null ? -1 : keyBits); cipherChaining = ChainingMode.fromXmlId(passwordKey.getAttribute("cipherChaining")); hashAlgorithm = HashAlgorithm.fromEcmaId(passwordKey.getAttribute("hashAlgorithm")); saltValue = getBinAttr(passwordKey, "saltValue"); Modified: poi/trunk/poi/src/test/java/org/apache/poi/hssf/dev/TestBiffViewer.java URL: http://svn.apache.org/viewvc/poi/trunk/poi/src/test/java/org/apache/poi/hssf/dev/TestBiffViewer.java?rev=1912433&r1=1912432&r2=1912433&view=diff ============================================================================== --- poi/trunk/poi/src/test/java/org/apache/poi/hssf/dev/TestBiffViewer.java (original) +++ poi/trunk/poi/src/test/java/org/apache/poi/hssf/dev/TestBiffViewer.java Wed Sep 20 14:55:19 2023 @@ -42,6 +42,7 @@ class TestBiffViewer extends BaseTestIte excludes.put("61300.xls", IndexOutOfBoundsException.class); excludes.put("poi-fuzz.xls", RecordFormatException.class); excludes.put("protected_66115.xls", RecordFormatException.class); + excludes.put("clusterfuzz-testcase-minimized-POIHSSFFuzzer-5786329142919168.xls", IllegalStateException.class); return excludes; } Modified: poi/trunk/poi/src/test/java/org/apache/poi/hssf/dev/TestFormulaViewer.java URL: http://svn.apache.org/viewvc/poi/trunk/poi/src/test/java/org/apache/poi/hssf/dev/TestFormulaViewer.java?rev=1912433&r1=1912432&r2=1912433&view=diff ============================================================================== --- poi/trunk/poi/src/test/java/org/apache/poi/hssf/dev/TestFormulaViewer.java (original) +++ poi/trunk/poi/src/test/java/org/apache/poi/hssf/dev/TestFormulaViewer.java Wed Sep 20 14:55:19 2023 @@ -53,7 +53,7 @@ class TestFormulaViewer extends BaseTest @Override void runOneFile(File fileIn) throws Exception { // replace with System.out for manual tests - PrintWriter out = new PrintWriter(new NullWriter()); + PrintWriter out = new PrintWriter(NullWriter.INSTANCE); final Function<FormulaRecord, String> lister = (doListFormula) ? this::listFormula : this::parseFormulaRecord; Modified: poi/trunk/poi/src/test/java/org/apache/poi/hssf/dev/TestRecordLister.java URL: http://svn.apache.org/viewvc/poi/trunk/poi/src/test/java/org/apache/poi/hssf/dev/TestRecordLister.java?rev=1912433&r1=1912432&r2=1912433&view=diff ============================================================================== --- poi/trunk/poi/src/test/java/org/apache/poi/hssf/dev/TestRecordLister.java (original) +++ poi/trunk/poi/src/test/java/org/apache/poi/hssf/dev/TestRecordLister.java Wed Sep 20 14:55:19 2023 @@ -21,6 +21,7 @@ import java.io.IOException; import java.io.InputStream; import java.io.PrintWriter; import java.util.Locale; +import java.util.Map; import org.apache.commons.io.output.NullWriter; import org.apache.poi.hssf.record.ContinueRecord; @@ -28,6 +29,7 @@ import org.apache.poi.hssf.record.Record import org.apache.poi.hssf.record.RecordFactory; import org.apache.poi.hssf.record.RecordInputStream; import org.apache.poi.poifs.filesystem.POIFSFileSystem; +import org.apache.poi.util.RecordFormatException; /** * This is a low-level debugging class, which simply prints out what records come in what order. @@ -41,9 +43,16 @@ import org.apache.poi.poifs.filesystem.P class TestRecordLister extends BaseTestIteratingXLS { @Override + protected Map<String, Class<? extends Throwable>> getExcludes() { + Map<String, Class<? extends Throwable>> excludes = super.getExcludes(); + excludes.put("clusterfuzz-testcase-minimized-POIHSSFFuzzer-5786329142919168.xls", RecordFormatException.class); + return excludes; + } + + @Override void runOneFile(File fileIn) throws IOException { // replace it with System.out if you like it more verbatim - PrintWriter out = new PrintWriter(new NullWriter()); + PrintWriter out = new PrintWriter(NullWriter.INSTANCE); try (POIFSFileSystem fs = new POIFSFileSystem(fileIn, true); InputStream din = BiffViewer.getPOIFSInputStream(fs)) { Modified: poi/trunk/poi/src/test/java/org/apache/poi/hssf/usermodel/TestHSSFWorkbook.java URL: http://svn.apache.org/viewvc/poi/trunk/poi/src/test/java/org/apache/poi/hssf/usermodel/TestHSSFWorkbook.java?rev=1912433&r1=1912432&r2=1912433&view=diff ============================================================================== --- poi/trunk/poi/src/test/java/org/apache/poi/hssf/usermodel/TestHSSFWorkbook.java (original) +++ poi/trunk/poi/src/test/java/org/apache/poi/hssf/usermodel/TestHSSFWorkbook.java Wed Sep 20 14:55:19 2023 @@ -28,11 +28,13 @@ import static org.junit.jupiter.api.Asse import static org.junit.jupiter.api.Assertions.assertTrue; import static org.junit.jupiter.api.Assertions.fail; +import java.io.ByteArrayOutputStream; import java.io.File; import java.io.FileInputStream; import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStream; +import java.io.OutputStream; import java.util.ArrayList; import java.util.Collection; import java.util.List; @@ -69,6 +71,7 @@ import org.apache.poi.ss.usermodel.Row; import org.apache.poi.ss.usermodel.Sheet; import org.apache.poi.ss.usermodel.SheetConditionalFormatting; import org.apache.poi.ss.usermodel.Workbook; +import org.apache.poi.ss.usermodel.WorkbookFactory; import org.apache.poi.ss.util.CellRangeAddress; import org.apache.poi.util.IOUtils; import org.apache.poi.util.TempFile; @@ -1217,4 +1220,15 @@ public final class TestHSSFWorkbook exte void createDrawing() { // the dimensions for this image are different than for XSSF and SXSSF } + + @Test + void writeInvalidFile() throws Exception { + try (Workbook wb = WorkbookFactory.create( + samples.getFile("clusterfuzz-testcase-minimized-POIHSSFFuzzer-5786329142919168.xls"), + null, true)) { + try (OutputStream out = new ByteArrayOutputStream()) { + wb.write(out); + } + } + } } Added: poi/trunk/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-5231088823566336.ppt URL: http://svn.apache.org/viewvc/poi/trunk/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-5231088823566336.ppt?rev=1912433&view=auto ============================================================================== Binary file - no diff available. Propchange: poi/trunk/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-5231088823566336.ppt ------------------------------------------------------------------------------ svn:mime-type = application/vnd.ms-powerpoint Added: poi/trunk/test-data/spreadsheet/clusterfuzz-testcase-minimized-POIHSSFFuzzer-5786329142919168.xls URL: http://svn.apache.org/viewvc/poi/trunk/test-data/spreadsheet/clusterfuzz-testcase-minimized-POIHSSFFuzzer-5786329142919168.xls?rev=1912433&view=auto ============================================================================== Binary file - no diff available. Propchange: poi/trunk/test-data/spreadsheet/clusterfuzz-testcase-minimized-POIHSSFFuzzer-5786329142919168.xls ------------------------------------------------------------------------------ svn:mime-type = application/vnd.ms-excel Modified: poi/trunk/test-data/spreadsheet/stress.xls URL: http://svn.apache.org/viewvc/poi/trunk/test-data/spreadsheet/stress.xls?rev=1912433&r1=1912432&r2=1912433&view=diff ============================================================================== Binary files - no diff available. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
