From 0654bf9d87da525765eaba7a8e7242a05c48ee02 Mon Sep 17 00:00:00 2001
From: Dominik Stadler <centic@apache.org>
Date: Wed, 23 Aug 2023 09:30:00 +0000
Subject: [PATCH] Bug 66425: Avoid a NullPointerException found via oss-fuzz

We try to avoid throwing NullPointerException, but it was possible
to trigger one here with a specially crafted input-file

Should fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61520

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1911863 13f79535-47bb-0310-9956-ffa450edef68
---
 .../poi/xwpf/usermodel/XWPFDocument.java      |   2 +-
 ...imized-POIXWPFFuzzer-6442791109263360.docx | Bin 0 -> 4941 bytes
 test-data/spreadsheet/stress.xls              | Bin 65536 -> 66048 bytes
 3 files changed, 1 insertion(+), 1 deletion(-)
 create mode 100644 test-data/document/clusterfuzz-testcase-minimized-POIXWPFFuzzer-6442791109263360.docx

diff --git a/poi-ooxml/src/main/java/org/apache/poi/xwpf/usermodel/XWPFDocument.java b/poi-ooxml/src/main/java/org/apache/poi/xwpf/usermodel/XWPFDocument.java
index b5c926967e..1b693b0f70 100644
--- a/poi-ooxml/src/main/java/org/apache/poi/xwpf/usermodel/XWPFDocument.java
+++ b/poi-ooxml/src/main/java/org/apache/poi/xwpf/usermodel/XWPFDocument.java
@@ -233,7 +233,7 @@ public class XWPFDocument extends POIXMLDocument implements Document, IBody {
                 }
             }
             // Sort out headers and footers
-            if (doc.getDocument().getBody().getSectPr() != null) {
+            if (doc.getDocument().getBody() != null && doc.getDocument().getBody().getSectPr() != null) {
                 headerFooterPolicy = new XWPFHeaderFooterPolicy(this);
             }
 
diff --git a/test-data/document/clusterfuzz-testcase-minimized-POIXWPFFuzzer-6442791109263360.docx b/test-data/document/clusterfuzz-testcase-minimized-POIXWPFFuzzer-6442791109263360.docx
new file mode 100644
index 0000000000000000000000000000000000000000..53b8a69712b12c39d6d4caaa4c7d90a42496d23c
GIT binary patch
literal 4941
zcma)AWmuGJw535>WN0brkq!X?1w?x2mJ){UkZv65Msg?#>245ZfT5+4PC-ggkdV5A
z=XgZ#J?FW5p6`3+$E^38cfD)xwfCnikBUZ&goTBL6meT#3F%tkAif(qfo+^QIj-)d
zaf<S&;<%9AbAaUMIU8U|_uwJDggyN?%;1#m&qITlyq2Yx^WxY|%3)dX7LWZssuA14
zi!4xjc(^#M$Wq*qYq*Ka%6&$Zlg4P2vq?)VW=t;S30u*8aE>vNY;;Jc!ge7ax8v(H
zIx{6zxX4rb>VjCuxw@ldKc1{i?(qq$ZoOud+Ebacdjg&$RSdyQW(N6B%BuxA03Z+3
zVWU?bg^njye2KX3`WEM2*@C!(dun{r@5ReJzUT;Q*VQMo<mo+jyR_u9_wH+f+YB2l
zhY#eyrYH|GmE|$9J`Ew?nL_MW6a@)M`Cl0!MEt_k-bC5S-ocsE*ujCr-PQ)G(g%WZ
z5w`3DV#lpbl5&(aqJY%P>Y;LIz3e=P0^D*oee;?-3oEL`^ii{Gm8m-AC!1_;Q^*p0
zgD*{A^2P;dfGB4YR%<;|Ib=vwblLBlXEQK|m@<|fGYJwP<8|C+{Gc62GR(;uS@hhX
zOJqtw=su}uXeb2IG&jiN?qanNB;`4vExr_D#Q&*~2BnA5(c|qU#HwKMw6lJ5RV`x?
zaPTG`D{$0MTPQ&v>`7S7KoGp(u|Uqqt^cTGK-zzO7h8ArZri|md~M~a$@v?W&1EJ^
zys?cNnOQMB6V*NE^Ddsk>n>FAdsPAMpPP~1xQa`^6KqAg80w`3<X;Mg-w|-C!<ZrE
z1e~RiZxk|jGs!GmB;ehRT^d@(xuO=3b!>MV842kEas4~BH?LD`V($dL;x<zCA8vO;
zSHuXlW!b1VL*-=90vgD@(kO`FRdbLFQP4;(y60kDHE)KGkdC(oxB}G#T&nsghYUT-
zojsRL^&p)S1|-&oCm4ZCX{Ed>EMoN;o~Rj6y7SdytT23dOUWwV2paAZQsl1lMg>&I
zYOyGlS*vlcXR}tAoy7zEnH{}Dfes2>a0hF$&EcE3@1oPNf15~v1}u`vy?!VZF8gRt
zW$Uf_;dW4zkc#HW4u5(g{_5+CDkowA#asNNpv_a}W7ltcW04ec<7Hu}y>XIv5-5%E
zA1&fp7}^;b<hvc65P{>9pS)neztOWI1XW~BX=OZ~Je{bBwvMmezIm+e|M9Way8Vav
z2Sn6K3IM&fJ%xwv@osV4;~7<^6QyUvlSCam^Iqvac(*lP%w9^T4)>gy=Dy1+wlQL!
zX-kSN`-C-9wsUxn+OQ=}5fBY^VLaHNJKLwJw!b=`Eu~O*W5n6a{HOG<&d1H($&}L>
z?BZf+XYPD;K2lNgMD1L-l1J(EE20b)i=%WqQ8-ALSfv4j49}PZhy_KBJ5@*GAD@0s
z%<*^{8`}eOT6#<SO(eo)-$Cs5njTk90E94Q2u6wC^sFwELVR2<v=E13V0Ec1mC`z|
z%>=t@F+#l>m_%ID>r{O!iH`KMO0K3_4RC!z;CXCTX*|uEX+D$5M(h}DFyQ<I)c|&9
zll4hdZzIurLQ$L9&!jV#iHAQl7>1^zo`=}Md&Kqc8YKF;M>Bgn7j@&OHa|pIsx1Cj
zf@Al&ZPs80=i~#3mV-UBJ|gRxk7`#<#!fOE95sM|blurm^V`s=lqsFE2T*`0hCl|J
zP$oc?*3yttSpBQdk<%p$x^xyr33JKnO`S3=x4vu}5h)T&Xag17RM&?@xk|fX<oDh$
z5-PedF}ZzU;&@_X`g;^9@lDlMD#Qf60dyWOZ%lR{=W|nJwq7{MI1=Bmpv%W;;J@8B
zE(9f$LrId@jgTavr0Pg>dzg}?hZVsLBB+a#qSKg1HQ)ZigO`#KF!*TBU`-Sa)hnD?
zCeo};p<cTF=-G(1qjh<~qm;T-k#J1dnNqP<H9V$|L=QK=r_5-DDVr3U=~G;2y04eC
zCrVDJgih(zBsQ2CCj7wt8~T-i-odA^t`b}W^}ooa`bq9zmVzjwuC`!1mn#|lZ7+RA
z?GJGwM`E2Ztx!*K{1>3PkVVZ+)QHi8KqwBc%E8X<FHUSB=~782@n@HqvUMU`QP80m
z6BNkt4Cs)@Q&s%6{`!^Fmv4D!z<S#Zov}kT92E^Ff&P&0b0=!`AYDj@FkhvbPB~-e
z$mFc7Ym6oT*Hn&%U9X21Ydr#aNNudlZ^Oc2m+mt~R)De+VJp4^x<Je(7qXmJ2mEpV
zUeHH0i<v70l3l=J`%>z+Y9|mbN}}v42zKM{Ui1>9Pf#*}Ck8{<?%0D4Ne|ixo{K}n
z6TlTeT;EO?ClI@T`Tt8W6MNe$Vtyppj^>Qj%tJz-U9AuwEe1wQ%SWq5M5-ux#M`Uc
z_Qm7V)1LO*B_&LT3;J_5a3=>!7Gm7Tb%XusjoaisllR)t2qwmm)OaL&bRtmLLfMj^
zn0<2erSW}?tbG@!KQWiwGvD8iiKc8TfrajM4WS^$jly1Kuqk$KE{Y@z88`M=J7kbk
zBOLus&8dWbaF4QODd^Q}9AULoIdeUhI~A_=X5_VWZei+TIxf`kOnOP7x-tWn6i9~c
zx#mUfVymH#!h~*$1f>*<KV|TutwBHvl||ff2t@QfVRm%S6S61vd9&=RW&Czz#?ekJ
zEB%SXisi<R-m+(5_L@%>@7eSnRr+ujjfkev!d-wBIvUeT3eC3$$juKMExpy$olf2q
z8NA=#J#O(ulcjm7N}ldqj}^tTH=f;NMj9v#mV(UUkF%E96sC93fI(W?a`K8?r6oM`
z+D2O}RHqur9ma9}E72Ptr92(K!Sqs0UmAbLucw>5c$(UGbhu@3(psz*_6`)VggZB!
zd0dEXrX6Tb%W*ibJiTB-8v*_V>?^d?WKLFrk<6=u7$Z{XGg;m6t^0Xv96k==H$T6b
z5NZ4>18s|&3~lY~(0_oUF6RzpIZI08C9jZK01;^sHMepskZecM0+u>Dw<YBW_MC+_
zY;yjU9I6%y>1&>nvpJH344-2F{8gCm^<;oX1FYL!?R|^)Xwx<_4C}PVQAb3J^}0o;
zcM_^UK1?>r^5yY)e@aJnFK@lXp@~K3cn@#KVkZyRp7M1l&_WP;`qpBo0NO8)5pen;
z4g<&RErwX0TV<(<^SFKSOt`z=q}QErw@q7GHW+-$t`T)iU~JxQ{FM2l&F<K{kN4SU
zET=BUtE5`BmBK_>58ITtw<b}Qb4(pSofG0+me%>fR`30=dmgi**9fII;Qm)N_{UDJ
z*MU6sKD!x2D|G}!o41uyBy5maeG)+;%Ez^NfNBvI7xMKvBe?VYI|sX5FDgsKS`L7}
znYS7kcSP`B7tD-opsN=96dJEUW@l|V9d_pVy=gk8AJfb#zvL!B2uF#!F7xw?s=AiR
z_F!D{2u@omPp-Um=um%o&8ktWZF`uW{&arqliY`@=<2yR?-CR8b821NX(zOY?k*DP
z3cuWrBRNlBcOwpdihTYZB>bQfdXeWhV%1AorgHo482(+-`4!q43RnJkvwYUCK#C|4
z=jY9j8!-f0V!Ull?*-z#@{<;t(S8-l*NTJl6>viNMiQQ`{b4$~(g$^>IaG1qx@jEO
z_lN`3zeFP{#|S$aIeuEyaGqRT&wKjdO@kjFXIp(2%6&EwESUr;H`8$QC8I6ph|ga?
zz!<68bwX`eloT{pxu2C{MPhZJHFc;X?N($zl5||SB#uN9Ns0wc0DA7+Y)u%--9#ra
zQ50;}nFv|0FfS#0uJ3gmghd^Yb4>I?B;od(1zS4-wRQrGV~tRzj@-1FWYnr1gS+?N
zSs@RjaRj>JjA&Duty)M{cp}e;F>uL>9)7p1nYPF+M^D-hS!S9F!c(KcQxoIAS&;`t
zvmq__zoE6~qQIMiAzrW`k<@H;N_r)c{X%}-RfJ*eq5YRc2!0xdvx|of_(wVH)R;jC
z1lMOli_B9AiYBFn<{B;_<&PpIP?F@PlW)S_q?nMFzfjdS6|Jbc%^#_MAdtmbCzCq1
zB$VLo;>0QCgh|q<Nlw0lCyNrc5m+qs*sjbxNHQ+#RZ*4%u)CWgCY{PpNLO*F6y0cf
z9{|!MFHGl+=abS5$ZaUVW1#`oCXRWGa*QO_J+Dkf&f(;g5~ju{P?c?@w@n%LEr?m|
zw;IcvG11L$x+@f<-CGb1ab%RzdssDz6g$RY&Aayv*HvUau-O$&lBkD?6eo{;;Q8*v
z3LX5-q(rqdizPc1#;9+7<dpUo{?T6Js#Imubo14?bt4~-(l}s63xk+Cl+Bw7jd+gL
zDK*ylSk``PHH-}x8A6_-<8M)5T)?RP5!FrI)U?HM3HAW)yOpwBrleeJ;e(C~D$le#
zQ^w2RU+nc*QqlBw;3f#Q95rd0X`HHUx9-GgP4(m`AxSeGWw7_lcqS9Mzk1KjdL`xF
z*vRv|d~ElppK`jpMM79|7{cT%yewxc;fB>LF5h`_l$4_^vu(puCqRBpS+UcTBYtbU
zH#AS`^rZtIwC%%<I$o*;FQ;ve%Dii}KA-e$t-;u?{>qNr?+t`aQBcU?f<<^@f*vdo
zhLB@))VLU(y9!Xp)nm_FOullv<q<TiM^Aki;(mOSo!Vn2aan<Miy_!>EZg{F?BjQU
zv)8Zz(ihcV++Q0Kbd&Tc3C{1X9JlK0JGl&Pu(*4rO_67mhUY8o=m*UE;iih0kLLur
z$|;g1kv8s<yOcy$UaY%s2xU(4P`x(q62U#B>}t86;=P}~T+Eqv6z7U_h%8u449C}+
zsl4o(ls>T6azFc_-6Tc)I6p*rBfs%q+P#I)uAU^Ki$oZ?p}L0y*jfLo(P>Rkl<(jo
zgzTOI<;q6PzR}X#9?`mwiH=owm`-D)5%4(9ogaakXhN{&G$!TgOxHZ-=_LC)r*WsS
zQLM~?&vg2AFf@hpY_%#2*2LP3!#y<xC<&5PN;|{8aevnvR5>(4BN+_JOPfHyLw{Qm
z-WpS$gX+tlY3RIRgGRZZOjg1{BTHHnXu~SuO^CtPm5GYm9ex0wnyaG|0y4GG)DXvh
z{gS9*Xmc`{APlG2u7%^U8J&5>J2{c3OM@2a$Dz5-w#AHuD+9{%$kv<cSx!naSSm0_
zyA70dj)nKBP0@UBnzIBYA`UW+w;XRpwh$49nnRu{Wkd|c)!gKS5#(p|Iy_W@eBhW0
zc=YkI(&3e^aD2MCd!VQXPy2e~r9k^q7nW^7J+~c(Ae<v=7V4|{^-Ge5AEIT)#HvY<
zRuM!Ljinz&0~v)F>DOC}>(l$yTZ`Z0+B*!y|NaeleKx%s?tcXl;!%H&`hTLYPfk~c
z_A6`=3i${9bDI4VetjtU9gc_C<Nq4A{)As|yRRmfU-9K9{I@ygPyF?^^r|`k6(Eei
zAOA0{`kyNSu37%?8?nRud!_45?Vs@LcJMn~1N(3I^)BI0`1Opu@{C{Mj%Y#tqVXRG
u`4fCiRnC^4U{$b<4ANEd{t7<Cn*T>CE6bxJSVBU=Mtr;wr(OC(KK}zeaSG4?

literal 0
HcmV?d00001

diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls
index 493ccd7d8388ec363e33ce6b39c0840dfd3f7883..ab1d2675aae441cae9ae1aeb38e78ae07e6d9e30 100644
GIT binary patch
delta 1845
zcmbW1U1$_n6vzK}a`Un7he=%5Rhu|TtxAb8Yr-xmC8o6mT8j;~_=PRTxY;b2T{F8u
ziRiAiphXbrl?d%aL@GjUw8`BdrA2*^5-0^95<{uRfG>SiX<z)>o|)P2WL`Q8v*-No
zIsbF+-n%E6<jJr2Ph7E`0Ps4UPA8;OdCZ*0Gp>$ai&tgQa`mtF9iw89pH}9d$>;pH
zG8^6q>=>Q-la-0_F9Q>{H40ONYOh=Hc8ha%n?ZG}vH?)a*?Z6sMh_0bhZamxxhkAz
z^hK+p(bZV%Lp>hku|oKX!{Y#KW?Tk{6An9RKXEh|Z?E{+sn?=Van5P3c*MR;jN8@3
z82tEE(aRW$ZWk{_Uh%FYqe105ipmjaD+1zDM%&x8C8t}-wi;Ut<AAYEAKpekZO)%h
zowlp42Vk`8f@VD8kkekRl%&h8u2G(-qL%+nt3Zkj{o$kPJlrHu%5PZkuPyku7W}(H
zo+v2%L*YUJ|Ivb5H8f%oe{B&?^}($QES8|hk1rym^Z(IMV$q-4s-d5a!nOrRbIXEH
zTJW1Wo+v(hnOi94=8hK@HXB;9prJ8C$DZXEYHBXpFWSM)yF$0!ymJ@&#OKQg63(pu
z4;jXD$H;e)UEGIxMV4myG`h)L1DNsE#oUwSHF>TANpA^%A1EnYn@z|yZXWHjET6`H
zGFN4V+~TZf6I(8R@oe%@RkP_5%@tWbP5)tZ<eK)%)hj}bRf<#I_59vx)+Dcc@6{`J
zkBDTzt=ygwBY~ae8#tiJr-3?Esa++jcYnH)Z4-|UZfw}StGlafXm~iNZS=RbZ4R{i
zd@b#p{jIJ3mga-e-lL5|ezf+J4}qYjMYVU-&-#PvVJ+GljK#u{kQ$D};@VJeJRFUv
z14FU6dLS4IN7N(Xc)uE_&`8ffP>uE(cDzRm1>?<W49mX37^@f$0asSaS*^=eKS`V0
zat63M0^Il>*fjyP-U1%|4!k)dw$F9TvnP*Lvq@R`&CCa)bBZ%5d{fI<O8#+QRwQ0w
z2_$KBB1-ej^cZ>iO)))%ylvz$rGg^M$TK-7Yi};9oMH}>f*DnjiPA?~UO7eMvD27u
zx<ZNuc4uBXm6J|EmtL2VPC=I*%t)u8OV6SiFKJGmXWfEbS}(3YtYQ#1A2z$jD3_YR
q7=1Vw?iX(f@7&tjj#=P~dEoxvK>bso@0r{_H&G|{pW1WzCI1htuBbi$

delta 1448
zcmbW1-Afc<6vm%-c2=F8oy}d>bu3)RN{R?SU}*_LjQj(Zgb1RjE-Jy06e@_?r38sY
zmfliGDk-n}u-4a*u+pmtga}-bZd#$B?n=m;NVj)poY@a|Zkl0+Grx1*=R9Y=68&N#
zA-)s^=_-KrY&Lt1DZ*Ex=%ICF>6)v@jnRlONH2&3!u}QZM||&+5<`M8xcHg4XhVN=
zQmPjSp_*K`=^Ug(vSd&_DsKRYn;b+hx^N2JXvH3!Bfvf+`56KT{ibNXy@YV|M%X|}
zZ;*Nvh0Ba7Ds548!K63j1^l^n9ME>JY^M$srecbo8dDlf6;C8zUYCmG>UkHBRGjzZ
z@=33yQc+Mv!&d($pu(;%Cx?t-yKveVycI3@z(?Dt;J1XP<?XD)_dtx-aK4(=fGHm6
zoA^*$Mi86%3kQDFf!}lBqxn3Z*Z4_(B9A|F;7*2y9qON!;JiOXrv{}K==G@*LOTBs
zL-CTg+R4ysqj8A$Dtu(`9QZ2-K5g@Op%AkZh1{HYb7RvGf0>I6JvVeJEq=%EACX67
zh~~Qzu=yE!y!w1?(7OK317n*r*30x*mDZj{jI(;cgc83n%$b~fGPx(mH6WqdoX%Hk
zyKM*NGxFz(Px5f9Rjklkp=Pp$&V-s<%dMIsSJf6z^N$Q|wy`R<t>!EtD!rlZ5+lnC
z<7`6x6c*Ml(nK^UsA)PJJ>m|FKo47q)@ed#Evr1*S?kK8mo@hG5jNJ>;R`daet7^`
zz6<<#3?x%P_gg@n=R+;f)l7^XzJ8^WF!u5GVh5XF8ZVQV_)kr%0ROSY=-k8(sZ9uA
zs_Z`h%ui&Rd?~oOCP9ktZa1Cz+el|KI|Cz&!1NcO`8#mwCoubqt!5_c9<7W202n7s
AFaQ7m