This is an automated email from the ASF dual-hosted git repository. centic pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/poi.git
commit 66109187d12b72696ea02101cec765d77d9bbdc9 Author: Dominik Stadler <[email protected]> AuthorDate: Sun Jan 18 16:49:58 2026 +0100 Only allocate the required size for EscherComplexProperty Otherwise a malformed document can cause OOM by reserving large chunks of memory, but only using little of it. This fixes https://issues.oss-fuzz.com/issues/476184826 --- .../org/apache/poi/ddf/EscherComplexProperty.java | 18 +++++++++++------- ...ase-minimized-POIHPBFFuzzer-6325615354773504.pub | Bin 0 -> 2042 bytes test-data/spreadsheet/stress.xls | Bin 76800 -> 76800 bytes 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/poi/src/main/java/org/apache/poi/ddf/EscherComplexProperty.java b/poi/src/main/java/org/apache/poi/ddf/EscherComplexProperty.java index 356cd4a8c4..680ee9a5ae 100644 --- a/poi/src/main/java/org/apache/poi/ddf/EscherComplexProperty.java +++ b/poi/src/main/java/org/apache/poi/ddf/EscherComplexProperty.java @@ -67,9 +67,9 @@ public class EscherComplexProperty extends EscherProperty { this.complexSize = complexSize; } - private void ensureComplexData() { + private void ensureComplexData(int size) { if (this.complexData == null) { - complexData = IOUtils.safelyAllocate(complexSize, MAX_RECORD_LENGTH); + complexData = IOUtils.safelyAllocate(size, MAX_RECORD_LENGTH); } } @@ -131,7 +131,9 @@ public class EscherComplexProperty extends EscherProperty { * @return the complex bytes */ public byte[] getComplexData() { - ensureComplexData(); + // we need to allocate here as sometimes the array is written to + ensureComplexData(complexSize); + return complexData; } @@ -147,8 +149,8 @@ public class EscherComplexProperty extends EscherProperty { if (complexData == null) { return 0; } else { - ensureComplexData(); - int copySize = Math.max(0, Math.min(this.complexData.length, complexData.length - offset)); + int copySize = Math.max(0, Math.min(complexSize, complexData.length - offset)); + ensureComplexData(copySize); System.arraycopy(complexData, offset, this.complexData, 0, copySize); return copySize; } @@ -165,6 +167,8 @@ public class EscherComplexProperty extends EscherProperty { // no need to copy if data was not initialized yet if (complexData == null) { + complexSize = newSize; + return; } @@ -218,13 +222,13 @@ public class EscherComplexProperty extends EscherProperty { @Override public int hashCode() { - ensureComplexData(); + ensureComplexData(complexSize); return Arrays.deepHashCode(new Object[]{complexData, getId()}); } @Override public Map<String, Supplier<?>> getGenericProperties() { - ensureComplexData(); + ensureComplexData(complexSize); return GenericRecordUtil.getGenericProperties( "base", super::getGenericProperties, "data", this::getComplexData diff --git a/test-data/publisher/clusterfuzz-testcase-minimized-POIHPBFFuzzer-6325615354773504.pub b/test-data/publisher/clusterfuzz-testcase-minimized-POIHPBFFuzzer-6325615354773504.pub new file mode 100644 index 0000000000..99c698207f Binary files /dev/null and b/test-data/publisher/clusterfuzz-testcase-minimized-POIHPBFFuzzer-6325615354773504.pub differ diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls index a03baec081..e34a6c478c 100644 Binary files a/test-data/spreadsheet/stress.xls and b/test-data/spreadsheet/stress.xls differ --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
