Apache
/
poi
mirror of https://github.com/apache/poi.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Limit the maximum number of records that are read for an XLS 

To avoid unexpected behavior on some corrupted input-data

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1896555 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Dominik Stadler 2021-12-30 23:04:16 +00:00
parent 8f991d52f7
commit 35e96646f4
1 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
poi/src/main/java/org/apache/poi/hssf/record/RecordFactory.java
View File

@ -22,6 +22,7 @@ import java.util.ArrayList;
import java.util.Arrays; import java.util.Arrays;
import java.util.List; import java.util.List;
import org.apache.poi.util.IOUtils;
import org.apache.poi.util.RecordFormatException; import org.apache.poi.util.RecordFormatException;
/** /**
@ -33,6 +34,9 @@ import org.apache.poi.util.RecordFormatException;
public final class RecordFactory { public final class RecordFactory {
private static final int NUM_RECORDS = 512; private static final int NUM_RECORDS = 512;
// how many records we read at max by default (can be adjusted via IOUtils)
private static final int MAX_NUMBER_OF_RECORDS = 1_000_000;
private RecordFactory() {} private RecordFactory() {}
/** /**
@ -105,12 +109,13 @@ public final class RecordFactory {
* @return the equivalent array of {@link NumberRecord NumberRecords} * @return the equivalent array of {@link NumberRecord NumberRecords}
*/ */
public static NumberRecord[] convertRKRecords(MulRKRecord mrk) { public static NumberRecord[] convertRKRecords(MulRKRecord mrk) {
if (mrk.getNumColumns() < 0) { int numColumns = mrk.getNumColumns();
throw new RecordFormatException("Cannot create RKRecords with negative number of columns: " + mrk.getNumColumns()); if (numColumns < 0) {
throw new RecordFormatException("Cannot create RKRecords with negative number of columns: " + numColumns);
} }
NumberRecord[] mulRecs = new NumberRecord[mrk.getNumColumns()]; NumberRecord[] mulRecs = new NumberRecord[numColumns];
for (int k = 0; k < mrk.getNumColumns(); k++) { for (int k = 0; k < numColumns; k++) {
NumberRecord nr = new NumberRecord(); NumberRecord nr = new NumberRecord();
nr.setColumn((short) (k + mrk.getFirstColumn())); nr.setColumn((short) (k + mrk.getFirstColumn()));
@ -171,6 +176,8 @@ public final class RecordFactory {
Record record; Record record;
while ((record = recStream.nextRecord())!=null) { while ((record = recStream.nextRecord())!=null) {
records.add(record); records.add(record);
IOUtils.safelyAllocateCheck(records.size(), MAX_NUMBER_OF_RECORDS);
} }
return records; return records;