Re: [PR] Validate EMF description bounds before allocation [poi]

Mon, 11 May 2026 07:16:06 -0700 


jmestwa-coder commented on code in PR #1060:
URL: https://github.com/apache/poi/pull/1060#discussion_r3219602071


##########
poi-scratchpad/src/main/java/org/apache/poi/hemf/record/emf/HemfHeader.java:
##########
@@ -165,10 +167,17 @@ public long init(LittleEndianInputStream leis, long 
recordSize, long recordId) t
         size += readDimensionInt(leis, milliDimension);
 
         if (nDescription > 0 && offDescription > 0) {
-            int skip = (int)(offDescription - (size + HEADER_SIZE));
-            leis.mark(skip+nDescription*2);
-            leis.skipFully(skip);
-            byte[] buf = new byte[(nDescription-1)*2];
+            long skip = offDescription - (size + HEADER_SIZE);
+            long descriptionBytes = (nDescription - 1) * 
LittleEndianConsts.SHORT_SIZE;
+            long descriptionEnd = offDescription + nDescription * 
LittleEndianConsts.SHORT_SIZE;
+            if (skip < 0 || descriptionEnd > recordSize + HEADER_SIZE || skip 
+ descriptionBytes > Integer.MAX_VALUE) {
+                throw new RecordFormatException("Invalid EMF header 
description bounds");
+            }
+            int maxDescriptionLength = (int)Math.min(recordSize, 
Integer.MAX_VALUE);
+            IOUtils.safelyAllocateCheck(descriptionBytes, 
maxDescriptionLength);
+            leis.mark((int)(skip + descriptionBytes));
+            leis.skipFully((int)skip);
+            byte[] buf = IOUtils.safelyAllocate(descriptionBytes, 
maxDescriptionLength);

Review Comment:
   The goal of this change was to prevent overflowed arithmetic and invalid 
parser bounds handling before skip/allocation operations while preserving the 
existing allocation semantics for EMF records.
   
   I avoided introducing additional record-type-specific allocation limits here 
since that would be a broader behavioral change beyond the scope of this fix.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to