You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@poi.apache.org by ni...@apache.org on 2007/01/12 15:19:36 UTC

svn commit: r495578 - /jakarta/poi/trunk/src/scratchpad/src/org/apache/poi/hslf/HSLFSlideShow.java

Author: nick
Date: Fri Jan 12 06:19:35 2007
New Revision: 495578

URL: http://svn.apache.org/viewvc?view=rev&rev=495578
Log:
Throw an exception if a picture claims to have a negative amount of data. Should avoid problem in bug #41357

Modified:
    jakarta/poi/trunk/src/scratchpad/src/org/apache/poi/hslf/HSLFSlideShow.java

Modified: jakarta/poi/trunk/src/scratchpad/src/org/apache/poi/hslf/HSLFSlideShow.java
URL: http://svn.apache.org/viewvc/jakarta/poi/trunk/src/scratchpad/src/org/apache/poi/hslf/HSLFSlideShow.java?view=diff&rev=495578&r1=495577&r2=495578
==============================================================================
--- jakarta/poi/trunk/src/scratchpad/src/org/apache/poi/hslf/HSLFSlideShow.java (original)
+++ jakarta/poi/trunk/src/scratchpad/src/org/apache/poi/hslf/HSLFSlideShow.java Fri Jan 12 06:19:35 2007
@@ -35,6 +35,7 @@
 import org.apache.poi.hpsf.SummaryInformation;
 import org.apache.poi.hpsf.DocumentSummaryInformation;
 
+import org.apache.poi.hslf.exceptions.CorruptPowerPointFileException;
 import org.apache.poi.hslf.exceptions.EncryptedPowerPointFileException;
 import org.apache.poi.hslf.record.*;
 import org.apache.poi.hslf.usermodel.PictureData;
@@ -271,6 +272,13 @@
             pos += LittleEndian.INT_SIZE;
             byte[] imgdata = new byte[imgsize];
             System.arraycopy(pictstream, pos, imgdata, 0, imgdata.length);
+
+			// The image size must be 0 or greater
+			// (0 is allowed, but odd, since we do wind on by the header each
+			//  time, so we won't get stuck)
+			if(imgsize < 0) {
+				throw new CorruptPowerPointFileException("The file contains a picture, at position " + p.size() + ", which has a negatively sized data length, so we can't trust any of the picture data");
+			}
 
 			// If they type (including the bonus 0xF018) is 0, skip it
 			if(type == 0) {



---------------------------------------------------------------------
To unsubscribe, e-mail: poi-dev-unsubscribe@jakarta.apache.org
Mailing List:    http://jakarta.apache.org/site/mail2.html#poi
The Apache Jakarta POI Project: http://jakarta.apache.org/poi/