Author: centic Date: Mon Jul 15 13:02:43 2024 New Revision: 1919256 URL: http://svn.apache.org/viewvc?rev=1919256&view=rev Log: Bug 66425: Avoid exceptions found via poi-fuzz
Avoid a possible StackOverflowException This adds support of counting of the "nesting level" into the base EscherRecord and thus makes this existing limitation much more effective as it kicks in for more types of nested records. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66374 Added: poi/trunk/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-6192650357112832.ppt (with props) Modified: poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/BaseTestPPTIterating.java poi/trunk/poi/src/main/java/org/apache/poi/ddf/EscherContainerRecord.java poi/trunk/poi/src/main/java/org/apache/poi/ddf/EscherRecord.java poi/trunk/poi/src/main/java/org/apache/poi/ddf/UnknownEscherRecord.java poi/trunk/test-data/spreadsheet/stress.xls Modified: poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/BaseTestPPTIterating.java URL: http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/BaseTestPPTIterating.java?rev=1919256&r1=1919255&r2=1919256&view=diff ============================================================================== --- poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/BaseTestPPTIterating.java (original) +++ poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/BaseTestPPTIterating.java Mon Jul 15 13:02:43 2024 @@ -71,6 +71,7 @@ public abstract class BaseTestPPTIterati EXCLUDED.put("clusterfuzz-testcase-minimized-POIHSLFFuzzer-4838893004128256.ppt", FileNotFoundException.class); EXCLUDED.put("clusterfuzz-testcase-minimized-POIHSLFFuzzer-4624961081573376.ppt", FileNotFoundException.class); EXCLUDED.put("clusterfuzz-testcase-minimized-POIHSLFFuzzer-5018229722382336.ppt", RuntimeException.class); + EXCLUDED.put("clusterfuzz-testcase-minimized-POIHSLFFuzzer-6192650357112832.ppt", RuntimeException.class); } public static Stream<Arguments> files() { Modified: poi/trunk/poi/src/main/java/org/apache/poi/ddf/EscherContainerRecord.java URL: http://svn.apache.org/viewvc/poi/trunk/poi/src/main/java/org/apache/poi/ddf/EscherContainerRecord.java?rev=1919256&r1=1919255&r2=1919256&view=diff ============================================================================== --- poi/trunk/poi/src/main/java/org/apache/poi/ddf/EscherContainerRecord.java (original) +++ poi/trunk/poi/src/main/java/org/apache/poi/ddf/EscherContainerRecord.java Mon Jul 15 13:02:43 2024 @@ -91,7 +91,8 @@ public final class EscherContainerRecord return fillFields(data, pOffset, recordFactory, 0); } - int fillFields(byte[] data, int pOffset, EscherRecordFactory recordFactory, int nesting) { + @Override + protected int fillFields(byte[] data, int pOffset, EscherRecordFactory recordFactory, int nesting) { if (nesting > MAX_NESTED_CHILD_NODES) { throw new IllegalStateException("Had more than the limit of " + MAX_NESTED_CHILD_NODES + " nested child notes"); } @@ -107,7 +108,7 @@ public final class EscherContainerRecord } else if (child instanceof UnknownEscherRecord) { childBytesWritten = ((UnknownEscherRecord)child).fillFields(data, offset, recordFactory, nesting + 1); } else { - childBytesWritten = child.fillFields(data, offset, recordFactory); + childBytesWritten = child.fillFields(data, offset, recordFactory, nesting + 1); } bytesWritten += childBytesWritten; Modified: poi/trunk/poi/src/main/java/org/apache/poi/ddf/EscherRecord.java URL: http://svn.apache.org/viewvc/poi/trunk/poi/src/main/java/org/apache/poi/ddf/EscherRecord.java?rev=1919256&r1=1919255&r2=1919256&view=diff ============================================================================== --- poi/trunk/poi/src/main/java/org/apache/poi/ddf/EscherRecord.java (original) +++ poi/trunk/poi/src/main/java/org/apache/poi/ddf/EscherRecord.java Mon Jul 15 13:02:43 2024 @@ -84,6 +84,31 @@ public abstract class EscherRecord imple public abstract int fillFields( byte[] data, int offset, EscherRecordFactory recordFactory ); /** + * Internal method to prevent too deep nesting/using too much memory. + * + * This is done by counting the level of "nesting" via the parameter. + * + * The default method just forwards to fillFields() so it does not properly + * handle nesting. Subclasses which do recursive calls need to pass + * around the nesting-level properly. + * + * Usually both fillFields() methods should be overwritten by subclasses, + * the one without the "nesting"-parameter should routes to this one in + * classes which overwrite this method and this method should be overwritten + * with the actual functionality to fill fields. + * + * @param data The byte array containing the serialized escher + * records. + * @param offset The offset into the byte array. + * @param recordFactory A factory for creating new escher records. + * @param nesting The current nesting factor, usually increased by one on each recursive call + * @return The number of bytes written. + */ + protected int fillFields(byte[] data, int offset, EscherRecordFactory recordFactory, int nesting) { + return fillFields(data, offset, recordFactory); + } + + /** * Reads the 8 byte header information and populates the <code>options</code> * and <code>recordId</code> records. * Modified: poi/trunk/poi/src/main/java/org/apache/poi/ddf/UnknownEscherRecord.java URL: http://svn.apache.org/viewvc/poi/trunk/poi/src/main/java/org/apache/poi/ddf/UnknownEscherRecord.java?rev=1919256&r1=1919255&r2=1919256&view=diff ============================================================================== --- poi/trunk/poi/src/main/java/org/apache/poi/ddf/UnknownEscherRecord.java (original) +++ poi/trunk/poi/src/main/java/org/apache/poi/ddf/UnknownEscherRecord.java Mon Jul 15 13:02:43 2024 @@ -70,7 +70,8 @@ public final class UnknownEscherRecord e return fillFields(data, offset, recordFactory, 0); } - int fillFields(byte[] data, int offset, EscherRecordFactory recordFactory, int nesting) { + @Override + protected int fillFields(byte[] data, int offset, EscherRecordFactory recordFactory, int nesting) { if (nesting > MAX_NESTED_CHILD_NODES) { throw new IllegalStateException("Had more than the limit of " + MAX_NESTED_CHILD_NODES + " nested child notes"); } @@ -97,7 +98,7 @@ public final class UnknownEscherRecord e if (child instanceof EscherContainerRecord) { childBytesWritten = ((EscherContainerRecord)child).fillFields(data, offset, recordFactory, nesting + 1); } else { - childBytesWritten = child.fillFields(data, offset, recordFactory); + childBytesWritten = child.fillFields(data, offset, recordFactory, nesting + 1); } bytesWritten += childBytesWritten; offset += childBytesWritten; Added: poi/trunk/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-6192650357112832.ppt URL: http://svn.apache.org/viewvc/poi/trunk/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-6192650357112832.ppt?rev=1919256&view=auto ============================================================================== Binary file - no diff available. Propchange: poi/trunk/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-6192650357112832.ppt ------------------------------------------------------------------------------ svn:mime-type = application/vnd.ms-powerpoint Modified: poi/trunk/test-data/spreadsheet/stress.xls URL: http://svn.apache.org/viewvc/poi/trunk/test-data/spreadsheet/stress.xls?rev=1919256&r1=1919255&r2=1919256&view=diff ============================================================================== Binary files - no diff available. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
