jmestwa-coder opened a new pull request, #1071:
URL: https://github.com/apache/poi/pull/1071
## Summary
This patch strengthens `CompressedRTF` boundary handling and decompression
validation for both compressed and uncompressed RTF streams.
## Changes
- Enforce maximum decompressed size validation using
`IOUtils.safelyAllocateCheck`.
- Add bounded output enforcement to prevent expansion beyond the declared
decompressed size plus documented protocol padding.
- Fix uncompressed RTF handling to:
- copy only the declared payload bytes,
- stop at the correct stream boundary,
- and avoid falling through into LZW decompression.
- Bound compressed input reads to the declared compressed payload size using
`BoundedInputStream`.
- Add documentation for the MS-OXRTFCP trailing padding behavior.
## Tests
Added tests covering:
- rejection of oversized declared decompressed sizes,
- rejection of malformed compressed streams expanding beyond allowed padding
limits.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
