Author: centic Date: Sat Dec 30 11:11:32 2023 New Revision: 1914989 URL: http://svn.apache.org/viewvc?rev=1914989&view=rev Log: Bug 66425: Avoid exceptions found via poi-fuzz
Prevent StackOverflow via endless nesting Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=65303 Added: poi/trunk/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-5018229722382336.ppt Modified: poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/BaseTestPPTIterating.java poi/trunk/poi/src/main/java/org/apache/poi/ddf/EscherContainerRecord.java poi/trunk/poi/src/main/java/org/apache/poi/ddf/UnknownEscherRecord.java poi/trunk/test-data/spreadsheet/stress.xls Modified: poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/BaseTestPPTIterating.java URL: http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/BaseTestPPTIterating.java?rev=1914989&r1=1914988&r2=1914989&view=diff ============================================================================== --- poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/BaseTestPPTIterating.java (original) +++ poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/BaseTestPPTIterating.java Sat Dec 30 11:11:32 2023 @@ -70,6 +70,7 @@ public abstract class BaseTestPPTIterati EXCLUDED.put("clusterfuzz-testcase-minimized-POIFuzzer-6411649193738240.ppt", FileNotFoundException.class); EXCLUDED.put("clusterfuzz-testcase-minimized-POIHSLFFuzzer-4838893004128256.ppt", FileNotFoundException.class); EXCLUDED.put("clusterfuzz-testcase-minimized-POIHSLFFuzzer-4624961081573376.ppt", FileNotFoundException.class); + EXCLUDED.put("clusterfuzz-testcase-minimized-POIHSLFFuzzer-5018229722382336.ppt", RuntimeException.class); } public static Stream<Arguments> files() { Modified: poi/trunk/poi/src/main/java/org/apache/poi/ddf/EscherContainerRecord.java URL: http://svn.apache.org/viewvc/poi/trunk/poi/src/main/java/org/apache/poi/ddf/EscherContainerRecord.java?rev=1914989&r1=1914988&r2=1914989&view=diff ============================================================================== --- poi/trunk/poi/src/main/java/org/apache/poi/ddf/EscherContainerRecord.java (original) +++ poi/trunk/poi/src/main/java/org/apache/poi/ddf/EscherContainerRecord.java Sat Dec 30 11:11:32 2023 @@ -91,7 +91,7 @@ public final class EscherContainerRecord return fillFields(data, pOffset, recordFactory, 0); } - private int fillFields(byte[] data, int pOffset, EscherRecordFactory recordFactory, int nesting) { + int fillFields(byte[] data, int pOffset, EscherRecordFactory recordFactory, int nesting) { if (nesting > MAX_NESTED_CHILD_NODES) { throw new IllegalStateException("Had more than the limit of " + MAX_NESTED_CHILD_NODES + " nested child notes"); } @@ -104,6 +104,8 @@ public final class EscherContainerRecord final int childBytesWritten; if (child instanceof EscherContainerRecord) { childBytesWritten = ((EscherContainerRecord)child).fillFields(data, offset, recordFactory, nesting + 1); + } else if (child instanceof UnknownEscherRecord) { + childBytesWritten = ((UnknownEscherRecord)child).fillFields(data, offset, recordFactory, nesting + 1); } else { childBytesWritten = child.fillFields(data, offset, recordFactory); } Modified: poi/trunk/poi/src/main/java/org/apache/poi/ddf/UnknownEscherRecord.java URL: http://svn.apache.org/viewvc/poi/trunk/poi/src/main/java/org/apache/poi/ddf/UnknownEscherRecord.java?rev=1914989&r1=1914988&r2=1914989&view=diff ============================================================================== --- poi/trunk/poi/src/main/java/org/apache/poi/ddf/UnknownEscherRecord.java (original) +++ poi/trunk/poi/src/main/java/org/apache/poi/ddf/UnknownEscherRecord.java Sat Dec 30 11:11:32 2023 @@ -32,13 +32,14 @@ import org.apache.poi.util.LittleEndian; * we do not explicitly support. */ public final class UnknownEscherRecord extends EscherRecord { - //arbitrarily selected; may need to increase private static final int DEFAULT_MAX_RECORD_LENGTH = 100_000_000; private static int MAX_RECORD_LENGTH = DEFAULT_MAX_RECORD_LENGTH; private static final byte[] NO_BYTES = new byte[0]; + private static final int MAX_NESTED_CHILD_NODES = 1000; + /** The data for this record not including the 8 byte header */ private byte[] thedata = NO_BYTES; private final List<EscherRecord> _childRecords = new ArrayList<>(); @@ -66,6 +67,14 @@ public final class UnknownEscherRecord e @Override public int fillFields(byte[] data, int offset, EscherRecordFactory recordFactory) { + return fillFields(data, offset, recordFactory, 0); + } + + int fillFields(byte[] data, int offset, EscherRecordFactory recordFactory, int nesting) { + if (nesting > MAX_NESTED_CHILD_NODES) { + throw new IllegalStateException("Had more than the limit of " + MAX_NESTED_CHILD_NODES + " nested child notes"); + } + int bytesRemaining = readHeader( data, offset ); /* * Have a check between available bytes and bytesRemaining, @@ -83,7 +92,13 @@ public final class UnknownEscherRecord e bytesWritten += 8; while ( bytesRemaining > 0 ) { EscherRecord child = recordFactory.createRecord( data, offset ); - int childBytesWritten = child.fillFields( data, offset, recordFactory ); + final int childBytesWritten; + + if (child instanceof EscherContainerRecord) { + childBytesWritten = ((EscherContainerRecord)child).fillFields(data, offset, recordFactory, nesting + 1); + } else { + childBytesWritten = child.fillFields(data, offset, recordFactory); + } bytesWritten += childBytesWritten; offset += childBytesWritten; bytesRemaining -= childBytesWritten; Added: poi/trunk/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-5018229722382336.ppt URL: http://svn.apache.org/viewvc/poi/trunk/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-5018229722382336.ppt?rev=1914989&view=auto ============================================================================== Binary files poi/trunk/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-5018229722382336.ppt (added) and poi/trunk/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-5018229722382336.ppt Sat Dec 30 11:11:32 2023 differ Modified: poi/trunk/test-data/spreadsheet/stress.xls URL: http://svn.apache.org/viewvc/poi/trunk/test-data/spreadsheet/stress.xls?rev=1914989&r1=1914988&r2=1914989&view=diff ============================================================================== Binary files - no diff available. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
