You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@poi.apache.org by ni...@apache.org on 2013/06/25 17:49:45 UTC

svn commit: r1496520 - /poi/trunk/src/scratchpad/src/org/apache/poi/hslf/record/StyleTextPropAtom.java

Author: nick
Date: Tue Jun 25 15:49:45 2013
New Revision: 1496520

URL: http://svn.apache.org/r1496520
Log:
Sanity check the length, logging and truncating if too long, to avoid a StringIndexOutOfBoundsException (bug #54925)

Modified:
    poi/trunk/src/scratchpad/src/org/apache/poi/hslf/record/StyleTextPropAtom.java

Modified: poi/trunk/src/scratchpad/src/org/apache/poi/hslf/record/StyleTextPropAtom.java
URL: http://svn.apache.org/viewvc/poi/trunk/src/scratchpad/src/org/apache/poi/hslf/record/StyleTextPropAtom.java?rev=1496520&r1=1496519&r2=1496520&view=diff
==============================================================================
--- poi/trunk/src/scratchpad/src/org/apache/poi/hslf/record/StyleTextPropAtom.java (original)
+++ poi/trunk/src/scratchpad/src/org/apache/poi/hslf/record/StyleTextPropAtom.java Tue Jun 25 15:49:45 2013
@@ -273,6 +273,7 @@ public final class StyleTextPropAtom ext
         while(pos < rawContents.length && textHandled < prsize) {
             // First up, fetch the number of characters this applies to
             int textLen = LittleEndian.getInt(rawContents,pos);
+            textLen = checkTextLength(textLen, textHandled, size);
             textHandled += textLen;
             pos += 4;
 
@@ -308,6 +309,7 @@ public final class StyleTextPropAtom ext
         while(pos < rawContents.length && textHandled < chsize) {
             // First up, fetch the number of characters this applies to
             int textLen = LittleEndian.getInt(rawContents,pos);
+            textLen = checkTextLength(textLen, textHandled, size);
             textHandled += textLen;
             pos += 4;
 
@@ -345,6 +347,15 @@ public final class StyleTextPropAtom ext
 
         initialised = true;
     }
+    
+    private int checkTextLength(int readLength, int handledSoFar, int overallSize) {
+        if (readLength + handledSoFar > overallSize + 1) {
+            logger.log(POILogger.WARN, "Style length of " + readLength + " at " + handledSoFar + 
+                    " larger than stated size of " + overallSize + ", truncating");
+            return overallSize + 1 - handledSoFar;
+        }
+        return readLength;
+    }
 
 
     /**



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@poi.apache.org
For additional commands, e-mail: commits-help@poi.apache.org