Author: centic Date: Thu Jul 18 07:09:32 2024 New Revision: 1919342 URL: http://svn.apache.org/viewvc?rev=1919342&view=rev Log: Bug 66425: Avoid exceptions found via poi-fuzz
Processing formats uses regular expressions. Very complex formats can recurse very deeply and thus can cause StackOVerflows depending on the used stack-size. In order to handle this a bit more gracefully, we now catch this and report a better exception with details about the parsed format and potential mitigation. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66137 Added: poi/trunk/test-data/spreadsheet/clusterfuzz-testcase-minimized-POIHSSFFuzzer-4657005060816896.xls (with props) Modified: poi/trunk/poi-integration/src/test/java/org/apache/poi/stress/TestAllFiles.java poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hssf/converter/TestExcelConverterSuite.java poi/trunk/poi/src/main/java/org/apache/poi/ss/format/CellFormat.java poi/trunk/poi/src/test/java/org/apache/poi/hssf/extractor/TestExcelExtractor.java poi/trunk/test-data/spreadsheet/stress.xls Modified: poi/trunk/poi-integration/src/test/java/org/apache/poi/stress/TestAllFiles.java URL: http://svn.apache.org/viewvc/poi/trunk/poi-integration/src/test/java/org/apache/poi/stress/TestAllFiles.java?rev=1919342&r1=1919341&r2=1919342&view=diff ============================================================================== --- poi/trunk/poi-integration/src/test/java/org/apache/poi/stress/TestAllFiles.java (original) +++ poi/trunk/poi-integration/src/test/java/org/apache/poi/stress/TestAllFiles.java Thu Jul 18 07:09:32 2024 @@ -136,6 +136,7 @@ public class TestAllFiles { "spreadsheet/clusterfuzz-testcase-minimized-POIHSSFFuzzer-4977868385681408.xls", "spreadsheet/clusterfuzz-testcase-minimized-POIHSSFFuzzer-4651309315719168.xls", "document/clusterfuzz-testcase-POIHWPFFuzzer-5696094627495936.doc", + "spreadsheet/clusterfuzz-testcase-minimized-POIHSSFFuzzer-4657005060816896.xls" }); private static final Set<String> EXPECTED_FAILURES = StressTestUtils.unmodifiableHashSet( Modified: poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hssf/converter/TestExcelConverterSuite.java URL: http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hssf/converter/TestExcelConverterSuite.java?rev=1919342&r1=1919341&r2=1919342&view=diff ============================================================================== --- poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hssf/converter/TestExcelConverterSuite.java (original) +++ poi/trunk/poi-scratchpad/src/test/java/org/apache/poi/hssf/converter/TestExcelConverterSuite.java Thu Jul 18 07:09:32 2024 @@ -46,7 +46,8 @@ public class TestExcelConverterSuite { // not failing, but requires more memory "ex45698-22488.xls", // broken documents - "clusterfuzz-testcase-minimized-POIHSSFFuzzer-5436547081830400.xls" + "clusterfuzz-testcase-minimized-POIHSSFFuzzer-5436547081830400.xls", + "clusterfuzz-testcase-minimized-POIHSSFFuzzer-4657005060816896.xls" ); public static Stream<Arguments> files() { Modified: poi/trunk/poi/src/main/java/org/apache/poi/ss/format/CellFormat.java URL: http://svn.apache.org/viewvc/poi/trunk/poi/src/main/java/org/apache/poi/ss/format/CellFormat.java?rev=1919342&r1=1919341&r2=1919342&view=diff ============================================================================== --- poi/trunk/poi/src/main/java/org/apache/poi/ss/format/CellFormat.java (original) +++ poi/trunk/poi/src/main/java/org/apache/poi/ss/format/CellFormat.java Thu Jul 18 07:09:32 2024 @@ -28,7 +28,6 @@ import java.util.regex.Pattern; import javax.swing.JLabel; -import org.apache.logging.log4j.Level; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; import org.apache.poi.ss.usermodel.Cell; @@ -182,19 +181,28 @@ public class CellFormat { Matcher m = ONE_PART.matcher(format); List<CellFormatPart> parts = new ArrayList<>(); - while (m.find()) { - try { - String valueDesc = m.group(); - - // Strip out the semicolon if it's there - if (valueDesc.endsWith(";")) - valueDesc = valueDesc.substring(0, valueDesc.length() - 1); - - parts.add(new CellFormatPart(locale, valueDesc)); - } catch (RuntimeException e) { - LOG.warn("Invalid format: {}", CellFormatter.quote(m.group()), e); - parts.add(null); + try { + while (m.find()) { + try { + String valueDesc = m.group(); + + // Strip out the semicolon if it's there + if (valueDesc.endsWith(";")) + valueDesc = valueDesc.substring(0, valueDesc.length() - 1); + + parts.add(new CellFormatPart(locale, valueDesc)); + } catch (RuntimeException e) { + LOG.warn("Invalid format: {}", CellFormatter.quote(m.group()), e); + parts.add(null); + } } + } catch (StackOverflowError e) { + // very complex formats can cause the regex-parsing to exceed the available stack + // we want to handle this more gracefully by catching it and reporting a bit more + // details in the error message + throw new IllegalStateException("The provided format is too complex: " + format + + ", you can try to increase Java Stack size via commandline argument '-Xss' " + + "to allow handling this format"); } formatPartCount = parts.size(); Modified: poi/trunk/poi/src/test/java/org/apache/poi/hssf/extractor/TestExcelExtractor.java URL: http://svn.apache.org/viewvc/poi/trunk/poi/src/test/java/org/apache/poi/hssf/extractor/TestExcelExtractor.java?rev=1919342&r1=1919341&r2=1919342&view=diff ============================================================================== --- poi/trunk/poi/src/test/java/org/apache/poi/hssf/extractor/TestExcelExtractor.java (original) +++ poi/trunk/poi/src/test/java/org/apache/poi/hssf/extractor/TestExcelExtractor.java Thu Jul 18 07:09:32 2024 @@ -382,4 +382,16 @@ final class TestExcelExtractor { assertContains(txt, "Macro2"); } } + + @Test + void testStackOverflowInRegex() throws IOException { + try (ExcelExtractor extractor = createExtractor("clusterfuzz-testcase-minimized-POIHSSFFuzzer-4657005060816896.xls")) { + extractor.getText(); + } catch (IllegalStateException e) { + // we either get a StackOverflow or a parsing error depending on the stack-size of the current JVM, + // so we expect both here + assertTrue(e.getMessage().contains("Provided formula is too complex") || + e.getMessage().contains("Did not have a ExtendedFormatRecord")); + } + } } Added: poi/trunk/test-data/spreadsheet/clusterfuzz-testcase-minimized-POIHSSFFuzzer-4657005060816896.xls URL: http://svn.apache.org/viewvc/poi/trunk/test-data/spreadsheet/clusterfuzz-testcase-minimized-POIHSSFFuzzer-4657005060816896.xls?rev=1919342&view=auto ============================================================================== Binary file - no diff available. Propchange: poi/trunk/test-data/spreadsheet/clusterfuzz-testcase-minimized-POIHSSFFuzzer-4657005060816896.xls ------------------------------------------------------------------------------ svn:mime-type = application/vnd.ms-excel Modified: poi/trunk/test-data/spreadsheet/stress.xls URL: http://svn.apache.org/viewvc/poi/trunk/test-data/spreadsheet/stress.xls?rev=1919342&r1=1919341&r2=1919342&view=diff ============================================================================== Binary files - no diff available. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
