This is an automated email from the ASF dual-hosted git repository. centic pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/poi.git
commit 1d9425abb3d7fa69276b0c894ac366c32dde430b Author: Dominik Stadler <[email protected]> AuthorDate: Sun Feb 22 21:28:42 2026 +0100 Log instead of assertion when handling a slightly corrupted wmf-file We should not use assert() for cases that can be triggered by input-files. Fixes https://issues.oss-fuzz.com/issues/486466456 --- .../org/apache/poi/hwmf/record/HwmfHeader.java | 25 +++++++++++++-------- test-data/poi-integration-exceptions.csv | 1 + ...mized-POIFileHandlerFuzzer-6060921738035200.wmf | Bin 0 -> 18 bytes 3 files changed, 17 insertions(+), 9 deletions(-) diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hwmf/record/HwmfHeader.java b/poi-scratchpad/src/main/java/org/apache/poi/hwmf/record/HwmfHeader.java index 2f1ada526b..43885e2f8f 100644 --- a/poi-scratchpad/src/main/java/org/apache/poi/hwmf/record/HwmfHeader.java +++ b/poi-scratchpad/src/main/java/org/apache/poi/hwmf/record/HwmfHeader.java @@ -23,11 +23,15 @@ import java.util.LinkedHashMap; import java.util.Map; import java.util.function.Supplier; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.apache.poi.common.usermodel.GenericRecord; import org.apache.poi.util.LittleEndianConsts; import org.apache.poi.util.LittleEndianInputStream; public class HwmfHeader implements GenericRecord { + private static final Logger log = LogManager.getLogger(HwmfHeader.class); + public enum HwmfHeaderMetaType { MEMORY_METAFILE, DISK_METAFILE } @@ -39,48 +43,51 @@ public class HwmfHeader implements GenericRecord { private int numberOfObjects; private long maxRecord; private int numberOfMembers; - + public HwmfHeader(LittleEndianInputStream leis) throws IOException { // Type (2 bytes): A 16-bit unsigned integer that defines the type of metafile - // MEMORYMETAFILE = 0x0001, DISKMETAFILE = 0x0002 + // MEMORYMETAFILE = 0x0001, DISKMETAFILE = 0x0002 type = HwmfHeaderMetaType.values()[leis.readUShort()-1]; // HeaderSize (2 bytes): A 16-bit unsigned integer that defines the number // of 16-bit words in the header. recordSize = leis.readUShort(); int bytesLeft = recordSize*LittleEndianConsts.SHORT_SIZE-4; - + // Version (2 bytes): A 16-bit unsigned integer that defines the metafile version. // METAVERSION100 = 0x0100, METAVERSION300 = 0x0300 version = leis.readUShort(); bytesLeft -= LittleEndianConsts.SHORT_SIZE; - + // SizeLow (2 bytes): A 16-bit unsigned integer that defines the low-order word // of the number of 16-bit words in the entire metafile. // SizeHigh (2 bytes): A 16-bit unsigned integer that defines the high-order word // of the number of 16-bit words in the entire metafile. filesize = leis.readInt(); bytesLeft -= LittleEndianConsts.INT_SIZE; - + // NumberOfObjects (2 bytes): A 16-bit unsigned integer that specifies the number // of graphics objects that are defined in the entire metafile. These objects include // brushes, pens, and the other objects numberOfObjects = leis.readUShort(); bytesLeft -= LittleEndianConsts.SHORT_SIZE; - + // MaxRecord (4 bytes): A 32-bit unsigned integer that specifies the size of the // largest record used in the metafile (in 16-bit elements). maxRecord = leis.readUInt(); bytesLeft -= LittleEndianConsts.INT_SIZE; - + // NumberOfMembers (2 bytes): A 16-bit unsigned integer that is not used. // It SHOULD be 0x0000. numberOfMembers = leis.readUShort(); bytesLeft -= LittleEndianConsts.SHORT_SIZE; - + if (bytesLeft > 0) { long len = leis.skip(bytesLeft); - assert(len == bytesLeft); + if (len != bytesLeft) { + log.atWarn().log("Had unexpected number of bytes left for the wmf-header, expected {}, but had {}", + bytesLeft, len); + } } } diff --git a/test-data/poi-integration-exceptions.csv b/test-data/poi-integration-exceptions.csv index d2f0336e25..9c018180f4 100644 --- a/test-data/poi-integration-exceptions.csv +++ b/test-data/poi-integration-exceptions.csv @@ -403,3 +403,4 @@ slideshow/clusterfuzz-testcase-minimized-POIXSLFFuzzer-6435650376957952.pptx,ext slideshow/clusterfuzz-testcase-minimized-POIFileHandlerFuzzer-6466833057382400.emf,"handle,extract",HEMF,,org.apache.poi.util.RecordFormatException,java.lang.IllegalStateException: Unexpected end-of-file, slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-4983252485210112.ppt,"handle,additional",HPSF,,java.lang.IndexOutOfBoundsException,Block 21 not found, slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-4983252485210112.ppt,handle,HSLF,,org.apache.poi.util.RecordFormatException,"Can't allocate an array of length < 0, but had -1579150891 and 1000000", +slideshow/clusterfuzz-testcase-minimized-POIFileHandlerFuzzer-6060921738035200.wmf,handle,HWMF,,java.lang.IllegalStateException,invalid wmf file \ No newline at end of file diff --git a/test-data/slideshow/clusterfuzz-testcase-minimized-POIFileHandlerFuzzer-6060921738035200.wmf b/test-data/slideshow/clusterfuzz-testcase-minimized-POIFileHandlerFuzzer-6060921738035200.wmf new file mode 100644 index 0000000000..37aaf406a8 Binary files /dev/null and b/test-data/slideshow/clusterfuzz-testcase-minimized-POIFileHandlerFuzzer-6060921738035200.wmf differ --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
