diff --git a/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/BaseTestPPTIterating.java b/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/BaseTestPPTIterating.java index be18652602..79b200dcca 100644 --- a/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/BaseTestPPTIterating.java +++ b/poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/BaseTestPPTIterating.java @@ -70,6 +70,7 @@ public abstract class BaseTestPPTIterating { EXCLUDED.put("clusterfuzz-testcase-minimized-POIFuzzer-6411649193738240.ppt", FileNotFoundException.class); EXCLUDED.put("clusterfuzz-testcase-minimized-POIHSLFFuzzer-4838893004128256.ppt", FileNotFoundException.class); EXCLUDED.put("clusterfuzz-testcase-minimized-POIHSLFFuzzer-4624961081573376.ppt", FileNotFoundException.class); + EXCLUDED.put("clusterfuzz-testcase-minimized-POIHSLFFuzzer-5018229722382336.ppt", RuntimeException.class); } public static Stream files() { diff --git a/poi/src/main/java/org/apache/poi/ddf/EscherContainerRecord.java b/poi/src/main/java/org/apache/poi/ddf/EscherContainerRecord.java index da4d2a3289..ab30e2c404 100644 --- a/poi/src/main/java/org/apache/poi/ddf/EscherContainerRecord.java +++ b/poi/src/main/java/org/apache/poi/ddf/EscherContainerRecord.java @@ -91,7 +91,7 @@ public final class EscherContainerRecord extends EscherRecord implements Iterabl return fillFields(data, pOffset, recordFactory, 0); } - private int fillFields(byte[] data, int pOffset, EscherRecordFactory recordFactory, int nesting) { + int fillFields(byte[] data, int pOffset, EscherRecordFactory recordFactory, int nesting) { if (nesting > MAX_NESTED_CHILD_NODES) { throw new IllegalStateException("Had more than the limit of " + MAX_NESTED_CHILD_NODES + " nested child notes"); } @@ -104,6 +104,8 @@ public final class EscherContainerRecord extends EscherRecord implements Iterabl final int childBytesWritten; if (child instanceof EscherContainerRecord) { childBytesWritten = ((EscherContainerRecord)child).fillFields(data, offset, recordFactory, nesting + 1); + } else if (child instanceof UnknownEscherRecord) { + childBytesWritten = ((UnknownEscherRecord)child).fillFields(data, offset, recordFactory, nesting + 1); } else { childBytesWritten = child.fillFields(data, offset, recordFactory); } diff --git a/poi/src/main/java/org/apache/poi/ddf/UnknownEscherRecord.java b/poi/src/main/java/org/apache/poi/ddf/UnknownEscherRecord.java index c6e71ea099..475cfdecae 100644 --- a/poi/src/main/java/org/apache/poi/ddf/UnknownEscherRecord.java +++ b/poi/src/main/java/org/apache/poi/ddf/UnknownEscherRecord.java @@ -32,13 +32,14 @@ import org.apache.poi.util.LittleEndian; * we do not explicitly support. */ public final class UnknownEscherRecord extends EscherRecord { - //arbitrarily selected; may need to increase private static final int DEFAULT_MAX_RECORD_LENGTH = 100_000_000; private static int MAX_RECORD_LENGTH = DEFAULT_MAX_RECORD_LENGTH; private static final byte[] NO_BYTES = new byte[0]; + private static final int MAX_NESTED_CHILD_NODES = 1000; + /** The data for this record not including the 8 byte header */ private byte[] thedata = NO_BYTES; private final List _childRecords = new ArrayList<>(); @@ -66,6 +67,14 @@ public final class UnknownEscherRecord extends EscherRecord { @Override public int fillFields(byte[] data, int offset, EscherRecordFactory recordFactory) { + return fillFields(data, offset, recordFactory, 0); + } + + int fillFields(byte[] data, int offset, EscherRecordFactory recordFactory, int nesting) { + if (nesting > MAX_NESTED_CHILD_NODES) { + throw new IllegalStateException("Had more than the limit of " + MAX_NESTED_CHILD_NODES + " nested child notes"); + } + int bytesRemaining = readHeader( data, offset ); /* * Have a check between available bytes and bytesRemaining, @@ -83,7 +92,13 @@ public final class UnknownEscherRecord extends EscherRecord { bytesWritten += 8; while ( bytesRemaining > 0 ) { EscherRecord child = recordFactory.createRecord( data, offset ); - int childBytesWritten = child.fillFields( data, offset, recordFactory ); + final int childBytesWritten; + + if (child instanceof EscherContainerRecord) { + childBytesWritten = ((EscherContainerRecord)child).fillFields(data, offset, recordFactory, nesting + 1); + } else { + childBytesWritten = child.fillFields(data, offset, recordFactory); + } bytesWritten += childBytesWritten; offset += childBytesWritten; bytesRemaining -= childBytesWritten; diff --git a/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-5018229722382336.ppt b/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-5018229722382336.ppt new file mode 100644 index 0000000000..29c33243bf Binary files /dev/null and b/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-5018229722382336.ppt differ diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls index 686638aa53..43e8f6950d 100644 Binary files a/test-data/spreadsheet/stress.xls and b/test-data/spreadsheet/stress.xls differ