metsw24-max commented on code in PR #1076:
URL: https://github.com/apache/poi/pull/1076#discussion_r3248874110
##########
poi-scratchpad/src/main/java/org/apache/poi/hdgf/pointers/PointerFactory.java:
##########
@@ -45,8 +45,13 @@ public Pointer createPointer(byte[] data, int offset) {
p = new PointerV6();
p.setType(LittleEndian.getInt(data, offset));
p.setAddress((int)LittleEndian.getUInt(data, offset+4));
- p.setOffset((int)LittleEndian.getUInt(data, offset+8));
- p.setLength((int)LittleEndian.getUInt(data, offset+12));
+ // Offset and Length flow into Stream.createStream as the (offset,
length)
+ // pair handed to StreamStore / CompressedStreamStore. Match the
recent
+ // ChunkHeader v6+ Length fix (PR #1075) and reject uint32 values
that
+ // would silently wrap to a negative int rather than letting the
wrapped
+ // value reach the downstream IOUtils.safelyClone bounds check.
+ p.setOffset(Math.toIntExact(LittleEndian.getUInt(data, offset+8)));
+ p.setLength(Math.toIntExact(LittleEndian.getUInt(data,
offset+12)));
Review Comment:
Done both fields are now read as long up-front.
Length goes through `IOUtils.safelyAllocateCheck(value, Integer.MAX_VALUE);`
Offset has a small helper throwing RecordFormatException with the offending
value
Tests and poi-integration-exceptions.csv updated to match the new exception.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
