https://issues.apache.org/bugzilla/show_bug.cgi?id=54682
Bug ID: 54682
Summary: UnhandledDataStructure - OutOfMemoryError
Product: POI
Version: 3.9
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: HWPF
Assignee: [email protected]
Reporter: [email protected]
Classification: Unclassified
In the constructor for org.apache.poi.hwpf.model.UnhandledDataStructure, a byte
array is allocated using a length value prior to the code which validates that
the parameters passed to the constructor are sane. The current check is:
if (offset + length > buf.length)
{
throw new IndexOutOfBoundsException("buffer length is " + buf.length +
"but code is trying to read " +
length + " from offset " + offset);
}
This should be done prior to creating the buffer. In one case a malformed word
document was attempting to allocate ~1.8g of data when the total files size was
90k.
Also, the check should be:
if (((long) offset) + length > buf.length)
In a corrupt file the parameters could potentially be large enough to overflow
an integer.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
