You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@poi.apache.org by bu...@apache.org on 2013/03/13 01:44:43 UTC
[Bug 54682] New: UnhandledDataStructure - OutOfMemoryError
https://issues.apache.org/bugzilla/show_bug.cgi?id=54682
Bug ID: 54682
Summary: UnhandledDataStructure - OutOfMemoryError
Product: POI
Version: 3.9
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: HWPF
Assignee: dev@poi.apache.org
Reporter: philip.persad@gmail.com
Classification: Unclassified
In the constructor for org.apache.poi.hwpf.model.UnhandledDataStructure, a byte
array is allocated using a length value prior to the code which validates that
the parameters passed to the constructor are sane. The current check is:
if (offset + length > buf.length)
{
throw new IndexOutOfBoundsException("buffer length is " + buf.length +
"but code is trying to read " +
length + " from offset " + offset);
}
This should be done prior to creating the buffer. In one case a malformed word
document was attempting to allocate ~1.8g of data when the total files size was
90k.
Also, the check should be:
if (((long) offset) + length > buf.length)
In a corrupt file the parameters could potentially be large enough to overflow
an integer.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
[Bug 54682] UnhandledDataStructure - OutOfMemoryError
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54682
Nick Burch <ap...@gagravarr.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #4 from Nick Burch <ap...@gagravarr.org> ---
Fixed in r1487555. (Slightly different patch to the redhat one, but the same
idea)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
[Bug 54682] UnhandledDataStructure - OutOfMemoryError
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54682
Nick Burch <ap...@gagravarr.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #1 from Nick Burch <ap...@gagravarr.org> ---
Do you have a sample file that shows off the problem you could share?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
[Bug 54682] UnhandledDataStructure - OutOfMemoryError
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54682
--- Comment #6 from Nick Burch <ap...@gagravarr.org> ---
I made some additional tweaks in r1487558, which I think should cover the int
overflowing into negative case. If you think there's something still missing,
please let me know, and if possible include a failing unit test :)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
[Bug 54682] UnhandledDataStructure - OutOfMemoryError
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54682
Phil Persad <ph...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |philip.persad@gmail.com
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
[Bug 54682] UnhandledDataStructure - OutOfMemoryError
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54682
Phil Persad <ph...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW
--- Comment #2 from Phil Persad <ph...@gmail.com> ---
Unfortunately, I'm working under some rather strong confidentiality constraints
and cannot provide you with the document which causes the error.
However, the current structure of the code is:
<allocate buffer>
<sanity check length>
<perform copy>
The structure:
<sanity check length>
<allocate buffer>
<perform copy>
Is clearly safer. The fact that there is a sanity check in the existing code
acknowledges that unsafe behaviour is possible, in that case it makes a lot of
sense to perform buffer allocation afterwards.
It's also worth noting that an OutOfMemoryError is a catastrophic failure. The
worst case for most exceptions thrown by the poi library is a failure to parse
a given document. However, an OutOfMemoryError will generally take down the
entire application.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
[Bug 54682] UnhandledDataStructure - OutOfMemoryError
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54682
--- Comment #3 from Damiano Albani <da...@gmail.com> ---
Would you consider using the patch provided by RedHat regarding this issue?
It's available in their own bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=799078
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
[Bug 54682] UnhandledDataStructure - OutOfMemoryError
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54682
--- Comment #5 from Phil Persad <ph...@gmail.com> ---
The code:
if (offset < 0 || length < 0)
Fails to account for the very real potential for integer overflow. The check
for offset + length < 0 is necessary. I avoided that by casting to long,
however I think the RedHat solution using binary inclusive OR is more elegant.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org
[Bug 54682] UnhandledDataStructure - OutOfMemoryError
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=54682
--- Comment #7 from Phil Persad <ph...@gmail.com> ---
r1487558 looks good.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org