Limit allocated elements in the PlfLfo structure for word documents

Use large allocation-detection here as well,
otherwise some documents can try to allocate too much memory.

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1896744 13f79535-47bb-0310-9956-ffa450edef68

poi-scratchpad/src/main/java/org/apache/poi/hwpf/model/PlfLfo.java

@@ -26,6 +26,7 @@ import java.util.NoSuchElementException;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.apache.poi.hwpf.model.types.LFOAbstractType;
+import org.apache.poi.util.IOUtils;
 import org.apache.poi.util.LittleEndian;
 import org.apache.poi.util.LittleEndianConsts;
 
@@ -37,10 +38,11 @@ import static org.apache.logging.log4j.util.Unbox.box;
  * Documentation quoted from Page 424 of 621. [MS-DOC] -- v20110315 Word (.doc)
  * Binary File Format
  */
-public class PlfLfo
-{
+public class PlfLfo {
     private static final Logger LOGGER = LogManager.getLogger(PlfLfo.class);
 
+    private static final int MAX_NUMBER_OF_LFO = 100_000;
+
     /**
      * An unsigned integer that specifies the count of elements in both the
      * rgLfo and rgLfoData arrays.
@@ -76,6 +78,8 @@ public class PlfLfo
                             + Integer.MAX_VALUE + " elements" );
         }
 
+        IOUtils.safelyAllocateCheck(lfoMacLong, MAX_NUMBER_OF_LFO);
+
         this._lfoMac = (int) lfoMacLong;
         _rgLfo = new LFO[_lfoMac];
         _rgLfoData = new LFOData[_lfoMac];

poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java

@@ -54,7 +54,9 @@ public class TestWordToConverterSuite
         "password_tika_binaryrc4.doc",
         "password_password_cryptoapi.doc",
         // WORD 2.0 file
-        "word2.doc"
+        "word2.doc",
+        // Corrupt file
+        "Fuzzed.doc"
     );
 
     public static Stream<Arguments> files() {