From 98b8864c401f8d3d605ea06ae7294ce226a19471 Mon Sep 17 00:00:00 2001 From: Nick Burch Date: Fri, 12 Jan 2007 14:19:35 +0000 Subject: [PATCH] Throw an exception if a picture claims to have a negative amount of data. Should avoid problem in bug #41357 git-svn-id: https://svn.apache.org/repos/asf/jakarta/poi/trunk@495578 13f79535-47bb-0310-9956-ffa450edef68 --- src/scratchpad/src/org/apache/poi/hslf/HSLFSlideShow.java | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/scratchpad/src/org/apache/poi/hslf/HSLFSlideShow.java b/src/scratchpad/src/org/apache/poi/hslf/HSLFSlideShow.java index b9a1a67292..774129a9cc 100644 --- a/src/scratchpad/src/org/apache/poi/hslf/HSLFSlideShow.java +++ b/src/scratchpad/src/org/apache/poi/hslf/HSLFSlideShow.java @@ -35,6 +35,7 @@ import org.apache.poi.hpsf.MutablePropertySet; import org.apache.poi.hpsf.SummaryInformation; import org.apache.poi.hpsf.DocumentSummaryInformation; +import org.apache.poi.hslf.exceptions.CorruptPowerPointFileException; import org.apache.poi.hslf.exceptions.EncryptedPowerPointFileException; import org.apache.poi.hslf.record.*; import org.apache.poi.hslf.usermodel.PictureData; @@ -272,6 +273,13 @@ public class HSLFSlideShow extends POIDocument byte[] imgdata = new byte[imgsize]; System.arraycopy(pictstream, pos, imgdata, 0, imgdata.length); + // The image size must be 0 or greater + // (0 is allowed, but odd, since we do wind on by the header each + // time, so we won't get stuck) + if(imgsize < 0) { + throw new CorruptPowerPointFileException("The file contains a picture, at position " + p.size() + ", which has a negatively sized data length, so we can't trust any of the picture data"); + } + // If they type (including the bonus 0xF018) is 0, skip it if(type == 0) { System.err.println("Problem reading picture: Invalid image type 0, on picture with length" + imgsize + ".\nYou document will probably become corrupted if you save it!");