https://bz.apache.org/bugzilla/show_bug.cgi?id=66425
Dominik Stadler <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO --- Comment #2 from Dominik Stadler <[email protected]> --- Furthermore it is strange that you convert a string to bytes in the current fuzzer for XLSX2CSV as the input is actually a binary format (Zip-archive of XML-Files), so I am not sure if that leads to any useful fuzzing at all. A better approach may be: public static void fuzzerTestOneInput(byte[] input) { InputStream in = new ByteArrayInputStream(input); try { OPCPackage p = OPCPackage.open(in); XLSX2CSV xlsx2csv = new XLSX2CSV(p, new NullPrintStream(), 5); xlsx2csv.process(); } catch (IOException | OpenXML4JException | SAXException | POIXMLException | RecordFormatException | IllegalStateException | IllegalArgumentException e) { // expected here } } BTW, we currently would like to not throw any RuntimeException or NullPointerException directly, but only derived ones. Also the library should never allocate endless amounts of memory, but rather fail with a useful exception if input would cause excessive memory allocation. Currently Apache POI 5.2.3 will still throw RuntimeException and NullPointerException and maybe report OOMs. All known cases should be fixed in the next release. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
