Fix for bug 38526 - If the record claims to be longer than the remaining data, just return null and ignore it

git-svn-id: https://svn.apache.org/repos/asf/jakarta/poi/trunk@375274 13f79535-47bb-0310-9956-ffa450edef68

src/scratchpad/src/org/apache/poi/hslf/record/Record.java

@@ -105,9 +105,12 @@ public abstract class Record
 				throw new CorruptPowerPointFileException("Corrupt document - starts with record of type 0000 and length 0xFFFF");
 			}
 
-//System.out.println("Found a " + type + " at pos " + pos + " (" + Integer.toHexString(pos) + "), len " + rlen);
 			Record r = createRecordForType(type,b,pos,8+rleni);
-			children.add(r);
+			if(r != null) {
+				children.add(r);
+			} else {
+				// Record was horribly corrupt
+			}
 			pos += 8;
 			pos += rlen;
 		}
@@ -132,6 +135,13 @@ public abstract class Record
 	public static Record createRecordForType(long type, byte[] b, int start, int len) {
 		Record toReturn = null;
 
+		// Handle case of a corrupt last record, whose claimed length
+		//  would take us passed the end of the file
+		if(start + len > b.length) {
+			System.err.println("Warning: Skipping record of type " + type + " at position " + start + " which claims to be longer than the file! (" + len + " vs " + (b.length-start) + ")");
+			return null;
+		}
+
 		// We use the RecordTypes class to provide us with the right
 		//  class to use for a given type
 		// A spot of reflection gets us the (byte[],int,int) constructor