This is an automated email from the ASF dual-hosted git repository. centic pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/poi.git
commit c92c533d7a5e08cdbe2bcc9f09ecfaca7fd60bea Author: Dominik Stadler <[email protected]> AuthorDate: Sat Feb 14 17:16:26 2026 +0100 Prevent large allocations when writing PPDrawing items Add an allocation check which can be disabled if necessary. Fixes https://issues.oss-fuzz.com/issues/477289649 and https://issues.oss-fuzz.com/issues/479564936 --- .../java/org/apache/poi/hslf/record/PPDrawing.java | 7 +++++-- .../org/apache/poi/hslf/dev/TestSlideIdListing.java | 1 + .../poi/hslf/dev/TestSlideShowRecordDumper.java | 4 +++- .../poi/hslf/dev/TestUserEditAndPersistListing.java | 4 +++- ...ase-minimized-POIHSLFFuzzer-6028723156746240.ppt | Bin 0 -> 547740 bytes test-data/spreadsheet/stress.xls | Bin 77824 -> 78336 bytes 6 files changed, 12 insertions(+), 4 deletions(-) diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hslf/record/PPDrawing.java b/poi-scratchpad/src/main/java/org/apache/poi/hslf/record/PPDrawing.java index 267034076a..886468362e 100644 --- a/poi-scratchpad/src/main/java/org/apache/poi/hslf/record/PPDrawing.java +++ b/poi-scratchpad/src/main/java/org/apache/poi/hslf/record/PPDrawing.java @@ -47,6 +47,7 @@ import org.apache.poi.ddf.EscherSpgrRecord; import org.apache.poi.ddf.EscherTextboxRecord; import org.apache.poi.sl.usermodel.ShapeType; import org.apache.poi.util.GenericRecordUtil; +import org.apache.poi.util.IOUtils; import org.apache.poi.util.LittleEndian; /** @@ -65,6 +66,7 @@ import org.apache.poi.util.LittleEndian; // would require a wrapping class public final class PPDrawing extends RecordAtom implements Iterable<EscherRecord> { + public static final int MAX_RECORD_SIZE = 20_000_000; private final byte[] _header; private long _type; @@ -214,8 +216,9 @@ public final class PPDrawing extends RecordAtom implements Iterable<EscherRecord // Write out our header out.write(_header); - // Now grab the children's data - byte[] b = new byte[newSize]; + // Now grab the children's data, but fail if it tries to allocate + // too much + byte[] b = IOUtils.safelyAllocate(newSize, MAX_RECORD_SIZE); int done = 0; dgContainer.serialize(done, b); diff --git a/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideIdListing.java b/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideIdListing.java index f86247c86b..684f4e8e42 100644 --- a/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideIdListing.java +++ b/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideIdListing.java @@ -32,6 +32,7 @@ public class TestSlideIdListing extends BaseTestPPTIterating { static { LOCAL_EXCLUDED.add("clusterfuzz-testcase-minimized-POIHSLFFuzzer-5306877435838464.ppt"); LOCAL_EXCLUDED.add("clusterfuzz-testcase-minimized-POIHSLFFuzzer-6360479850954752.ppt"); + LOCAL_EXCLUDED.add("clusterfuzz-testcase-minimized-POIHSLFFuzzer-6028723156746240.ppt"); } @Test diff --git a/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideShowRecordDumper.java b/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideShowRecordDumper.java index 73bbd376fd..f5705fe981 100644 --- a/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideShowRecordDumper.java +++ b/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideShowRecordDumper.java @@ -25,12 +25,14 @@ import java.util.Set; import org.apache.poi.EmptyFileException; import org.apache.poi.hslf.HSLFTestDataSamples; +import org.apache.poi.util.RecordFormatException; import org.junit.jupiter.api.Test; public class TestSlideShowRecordDumper extends BaseTestPPTIterating { static final Set<String> LOCAL_EXCLUDED = new HashSet<>(); static { LOCAL_EXCLUDED.add("clusterfuzz-testcase-minimized-POIHSLFFuzzer-6360479850954752.ppt"); + LOCAL_EXCLUDED.add("clusterfuzz-testcase-minimized-POIHSLFFuzzer-6028723156746240.ppt"); } @Test @@ -58,7 +60,7 @@ public class TestSlideShowRecordDumper extends BaseTestPPTIterating { void runOneFile(File pFile) throws Exception { try { SlideShowRecordDumper.main(new String[]{pFile.getAbsolutePath()}); - } catch (IllegalStateException e) { + } catch (IllegalStateException | RecordFormatException e) { if (!LOCAL_EXCLUDED.contains(pFile.getName())) { throw e; } diff --git a/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestUserEditAndPersistListing.java b/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestUserEditAndPersistListing.java index fab8679776..e639e292b0 100644 --- a/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestUserEditAndPersistListing.java +++ b/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestUserEditAndPersistListing.java @@ -24,12 +24,14 @@ import java.util.HashSet; import java.util.Set; import org.apache.poi.EmptyFileException; +import org.apache.poi.util.RecordFormatException; import org.junit.jupiter.api.Test; public class TestUserEditAndPersistListing extends BaseTestPPTIterating { static final Set<String> LOCAL_EXCLUDED = new HashSet<>(); static { LOCAL_EXCLUDED.add("clusterfuzz-testcase-minimized-POIHSLFFuzzer-6360479850954752.ppt"); + LOCAL_EXCLUDED.add("clusterfuzz-testcase-minimized-POIHSLFFuzzer-6028723156746240.ppt"); } @Test @@ -42,7 +44,7 @@ public class TestUserEditAndPersistListing extends BaseTestPPTIterating { void runOneFile(File pFile) throws Exception { try { UserEditAndPersistListing.main(new String[]{pFile.getAbsolutePath()}); - } catch (IllegalStateException e) { + } catch (IllegalStateException | RecordFormatException e) { if (!LOCAL_EXCLUDED.contains(pFile.getName())) { throw e; } diff --git a/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-6028723156746240.ppt b/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-6028723156746240.ppt new file mode 100644 index 0000000000..96793914be Binary files /dev/null and b/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-6028723156746240.ppt differ diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls index 18508cf972..a4ba77404e 100644 Binary files a/test-data/spreadsheet/stress.xls and b/test-data/spreadsheet/stress.xls differ --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
