metsw24-max opened a new pull request, #1078:
URL: https://github.com/apache/poi/pull/1078
Harden HSLF PersistPtr parsing against unsigned-to-signed integer truncation
when reading sheet offsets from PersistPtrIncrementalBlock records.
Previously, PersistPtrHolder read 32-bit unsigned sheet offsets using
`LittleEndian.getUInt(...)` and narrowed them with a plain `(int)` cast. Values
larger than `Integer.MAX_VALUE` wrapped to negative offsets and were stored in
`_slideLocations`.
These wrapped offsets later flowed into
`Record.buildRecordAtOffset(docstream, offset)`, where malformed inputs could
cause the parser to read records from unintended positions in the document
stream instead of rejecting the corrupted input cleanly.
## Changes
* Replaced the narrowing cast with `Math.toIntExact(...)` when parsing
PersistPtr sheet offsets
* Added an inline hardening comment documenting the threat model and parser
impact
* Preserved support for all valid signed-int offsets, including
`Integer.MAX_VALUE`
## Tests
Added regression coverage in `TestPersistPtrHolder`:
* `testRejectsOversizedSheetOffset`
* Verifies oversized uint32 offsets now fail with `ArithmeticException`
* `testAcceptsMaxIntSheetOffset`
* Verifies legitimate maximum signed-int offsets continue to parse
correctly
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
