You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@poi.apache.org by ce...@apache.org on 2021/12/13 19:22:35 UTC
svn commit: r1895922 - in /poi/trunk: poi-ooxml/src/main/java/org/apache/poi/openxml4j/util/ poi-scratchpad/src/main/java/org/apache/poi/hdgf/pointers/ poi-scratchpad/src/main/java/org/apache/poi/hpbf/model/qcbits/ poi-scratchpad/src/main/java/org/apac...
Author: centic
Date: Mon Dec 13 19:22:34 2021
New Revision: 1895922
URL: http://svn.apache.org/viewvc?rev=1895922&view=rev
Log:
Fix issues found when fuzzing Apache POI via Jazzer
Add some additional allocation limits to avoid OOM in
some more cases with some broken input files
Modified:
poi/trunk/poi-ooxml/src/main/java/org/apache/poi/openxml4j/util/ZipArchiveFakeEntry.java
poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hdgf/pointers/PointerFactory.java
poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hpbf/model/qcbits/QCPLCBit.java
poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowImpl.java
poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFTextParagraph.java
poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlexOfCps.java
poi/trunk/poi/src/main/java/org/apache/poi/poifs/filesystem/POIFSFileSystem.java
Modified: poi/trunk/poi-ooxml/src/main/java/org/apache/poi/openxml4j/util/ZipArchiveFakeEntry.java
URL: http://svn.apache.org/viewvc/poi/trunk/poi-ooxml/src/main/java/org/apache/poi/openxml4j/util/ZipArchiveFakeEntry.java?rev=1895922&r1=1895921&r2=1895922&view=diff
==============================================================================
--- poi/trunk/poi-ooxml/src/main/java/org/apache/poi/openxml4j/util/ZipArchiveFakeEntry.java (original)
+++ poi/trunk/poi-ooxml/src/main/java/org/apache/poi/openxml4j/util/ZipArchiveFakeEntry.java Mon Dec 13 19:22:34 2021
@@ -35,7 +35,12 @@ import org.apache.poi.util.TempFile;
* @see ZipInputStreamZipEntrySource#setThresholdBytesForTempFiles(int)
*/
/* package */ class ZipArchiveFakeEntry extends ZipArchiveEntry implements Closeable {
- private static Logger LOG = LogManager.getLogger(ZipArchiveFakeEntry.class);
+ private static final Logger LOG = LogManager.getLogger(ZipArchiveFakeEntry.class);
+
+ // how large a single entry in a zip-file should become at max
+ // can be overwritten via IOUtils.setByteArrayMaxOverride()
+ private static final int MAX_ENTRY_SIZE = 100_000_000;
+
private byte[] data;
private File tempFile;
private EncryptedTempData encryptedTempData;
@@ -64,7 +69,7 @@ import org.apache.poi.util.TempFile;
}
// Grab the de-compressed contents for later
- data = (entrySize == -1) ? IOUtils.toByteArray(inp) : IOUtils.toByteArray(inp, (int)entrySize);
+ data = (entrySize == -1) ? IOUtils.toByteArray(inp) : IOUtils.toByteArray(inp, (int)entrySize, MAX_ENTRY_SIZE);
}
}
Modified: poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hdgf/pointers/PointerFactory.java
URL: http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hdgf/pointers/PointerFactory.java?rev=1895922&r1=1895921&r2=1895922&view=diff
==============================================================================
--- poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hdgf/pointers/PointerFactory.java (original)
+++ poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hdgf/pointers/PointerFactory.java Mon Dec 13 19:22:34 2021
@@ -18,6 +18,7 @@
package org.apache.poi.hdgf.pointers;
import org.apache.poi.hdgf.streams.PointerContainingStream;
+import org.apache.poi.util.IOUtils;
import org.apache.poi.util.LittleEndian;
/**
@@ -25,10 +26,14 @@ import org.apache.poi.util.LittleEndian;
* of the file
*/
public final class PointerFactory {
- private int version;
+ private static final int MAX_NUMBER_OF_POINTERS = 100_000;
+
+ private final int version;
+
public PointerFactory(int version) {
this.version = version;
}
+
public int getVersion() { return version; }
/**
@@ -71,6 +76,12 @@ public final class PointerFactory {
// How much to skip for the num pointers + any extra data?
int skip = parent.getPostNumPointersSkip();
+ if (numPointers < 0) {
+ throw new IllegalArgumentException("Cannot create container pointers with negative count: " + numPointers);
+ }
+
+ IOUtils.safelyAllocateCheck(numPointers, MAX_NUMBER_OF_POINTERS);
+
// Create
int pos = numPointersOffset + skip;
Pointer[] childPointers = new Pointer[numPointers];
Modified: poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hpbf/model/qcbits/QCPLCBit.java
URL: http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hpbf/model/qcbits/QCPLCBit.java?rev=1895922&r1=1895921&r2=1895922&view=diff
==============================================================================
--- poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hpbf/model/qcbits/QCPLCBit.java (original)
+++ poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hpbf/model/qcbits/QCPLCBit.java Mon Dec 13 19:22:34 2021
@@ -17,6 +17,7 @@
package org.apache.poi.hpbf.model.qcbits;
+import org.apache.poi.util.IOUtils;
import org.apache.poi.util.LittleEndian;
import org.apache.poi.util.StringUtil;
@@ -26,8 +27,10 @@ import org.apache.poi.util.StringUtil;
* format is determined by the type of the PLCs.
*/
public abstract class QCPLCBit extends QCBit {
- private int numberOfPLCs;
- private int typeOfPLCS;
+ private static final int MAX_NUMBER_OF_PLCS = 1000;
+
+ private final int numberOfPLCs;
+ private final int typeOfPLCS;
/**
* The data which goes before the main PLC entries.
* This is apparently always made up of 2 byte
@@ -53,6 +56,7 @@ public abstract class QCPLCBit extends Q
typeOfPLCS = (int)LittleEndian.getUInt(data, 4);
// Init the arrays that we can
+ IOUtils.safelyAllocateCheck(numberOfPLCs, MAX_NUMBER_OF_PLCS);
plcValA = new long[numberOfPLCs];
plcValB = new long[numberOfPLCs];
}
Modified: poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowImpl.java
URL: http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowImpl.java?rev=1895922&r1=1895921&r2=1895922&view=diff
==============================================================================
--- poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowImpl.java (original)
+++ poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowImpl.java Mon Dec 13 19:22:34 2021
@@ -91,6 +91,7 @@ public final class HSLFSlideShowImpl ext
//arbitrarily selected; may need to increase
private static final int DEFAULT_MAX_RECORD_LENGTH = 200_000_000;
+ private static final int MAX_DOCUMENT_SIZE = 100_000_000;
private static int MAX_RECORD_LENGTH = DEFAULT_MAX_RECORD_LENGTH;
// Holds metadata on where things are in our document
@@ -233,7 +234,7 @@ public final class HSLFSlideShowImpl ext
// Grab the document stream
int len = docProps.getSize();
try (InputStream is = dir.createDocumentInputStream(docProps)) {
- _docstream = IOUtils.toByteArray(is, len);
+ _docstream = IOUtils.toByteArray(is, len, MAX_DOCUMENT_SIZE);
}
}
Modified: poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFTextParagraph.java
URL: http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFTextParagraph.java?rev=1895922&r1=1895921&r2=1895922&view=diff
==============================================================================
--- poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFTextParagraph.java (original)
+++ poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFTextParagraph.java Mon Dec 13 19:22:34 2021
@@ -86,6 +86,8 @@ import org.apache.poi.util.Units;
public final class HSLFTextParagraph implements TextParagraph<HSLFShape,HSLFTextParagraph,HSLFTextRun> {
private static final Logger LOG = LogManager.getLogger(HSLFTextParagraph.class);
+ private static final int MAX_NUMBER_OF_STYLES = 10_000;
+
// Note: These fields are protected to help with unit testing
// Other classes shouldn't really go playing with them!
private final TextHeaderAtom _headerAtom;
@@ -1551,7 +1553,11 @@ public final class HSLFTextParagraph imp
for (int csIdx = 0; csIdx < charStyles.size(); csIdx++) {
TextPropCollection p = charStyles.get(csIdx);
- for (int ccRun = 0, ccStyle = p.getCharactersCovered(); ccRun < ccStyle;) {
+ int ccStyle = p.getCharactersCovered();
+ if (ccStyle > MAX_NUMBER_OF_STYLES) {
+ throw new IllegalStateException("Cannot process more than " + MAX_NUMBER_OF_STYLES + " styles, but had paragraph with " + ccStyle);
+ }
+ for (int ccRun = 0; ccRun < ccStyle;) {
HSLFTextParagraph para = paragraphs.get(paraIdx);
List<HSLFTextRun> runs = para.getTextRuns();
trun = runs.get(runIdx);
Modified: poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlexOfCps.java
URL: http://svn.apache.org/viewvc/poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlexOfCps.java?rev=1895922&r1=1895921&r2=1895922&view=diff
==============================================================================
--- poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlexOfCps.java (original)
+++ poi/trunk/poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlexOfCps.java Mon Dec 13 19:22:34 2021
@@ -37,6 +37,7 @@ public final class PlexOfCps {
//arbitrarily selected; may need to increase
private static final int MAX_RECORD_LENGTH = 10_485_760;
+ private static final int MAX_NUMBER_OF_PROPERTIES = 100_000;
private int _iMac;
private final int _cbStruct;
@@ -57,6 +58,8 @@ public final class PlexOfCps {
// Figure out the number we hold
_iMac = (cb - 4) / (4 + cbStruct);
+ IOUtils.safelyAllocateCheck(_iMac, MAX_NUMBER_OF_PROPERTIES);
+
_cbStruct = cbStruct;
_props = new ArrayList<>(_iMac);
Modified: poi/trunk/poi/src/main/java/org/apache/poi/poifs/filesystem/POIFSFileSystem.java
URL: http://svn.apache.org/viewvc/poi/trunk/poi/src/main/java/org/apache/poi/poifs/filesystem/POIFSFileSystem.java?rev=1895922&r1=1895921&r2=1895922&view=diff
==============================================================================
--- poi/trunk/poi/src/main/java/org/apache/poi/poifs/filesystem/POIFSFileSystem.java (original)
+++ poi/trunk/poi/src/main/java/org/apache/poi/poifs/filesystem/POIFSFileSystem.java Mon Dec 13 19:22:34 2021
@@ -64,6 +64,8 @@ public class POIFSFileSystem extends Blo
private static final int DEFAULT_MAX_RECORD_LENGTH = 100_000;
private static int MAX_RECORD_LENGTH = DEFAULT_MAX_RECORD_LENGTH;
+ private static final int MAX_ALLOCATION_SIZE = 100_000_000;
+
private static final Logger LOG = LogManager.getLogger(POIFSFileSystem.class);
/**
@@ -334,6 +336,10 @@ public class POIFSFileSystem extends Blo
if (maxSize > Integer.MAX_VALUE) {
throw new IllegalArgumentException("Unable read a >2gb file via an InputStream");
}
+
+ // don't allow huge allocations with invalid header-values
+ IOUtils.safelyAllocateCheck(maxSize, MAX_ALLOCATION_SIZE);
+
ByteBuffer data = ByteBuffer.allocate((int) maxSize);
// Copy in the header
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@poi.apache.org
For additional commands, e-mail: commits-help@poi.apache.org