From e706f37170789876a930461924fbe84c34c5dfa8 Mon Sep 17 00:00:00 2001
From: Dominik Stadler <centic@apache.org>
Date: Tue, 8 Aug 2023 08:48:13 +0000
Subject: [PATCH] Bug 66425: Avoid a ClassCastException found via oss-fuzz

We try to avoid throwing ClassCastException, but it was possible
to trigger one here with a specially crafted input-file

Should fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61276

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1911536 13f79535-47bb-0310-9956-ffa450edef68
---
 .../poi/hssf/record/TextObjectRecord.java     |   3 +++
 .../poi/hssf/dev/BaseTestIteratingXLS.java    |   2 ++
 ...nimized-POIHSSFFuzzer-6322470200934400.xls | Bin 0 -> 3347 bytes
 test-data/spreadsheet/stress.xls              | Bin 61952 -> 62464 bytes
 4 files changed, 5 insertions(+)
 create mode 100644 test-data/spreadsheet/clusterfuzz-testcase-minimized-POIHSSFFuzzer-6322470200934400.xls

diff --git a/poi/src/main/java/org/apache/poi/hssf/record/TextObjectRecord.java b/poi/src/main/java/org/apache/poi/hssf/record/TextObjectRecord.java
index c399bd64f9..17bcce71e7 100644
--- a/poi/src/main/java/org/apache/poi/hssf/record/TextObjectRecord.java
+++ b/poi/src/main/java/org/apache/poi/hssf/record/TextObjectRecord.java
@@ -127,6 +127,9 @@ public final class TextObjectRecord extends ContinuableRecord {
                 throw new RecordFormatException("Read " + ptgs.length
                         + " tokens but expected exactly 1");
             }
+            if (!(ptgs[0] instanceof OperandPtg)) {
+                throw new IllegalArgumentException("Had unexpected type of ptg at index 0: " + ptgs[0].getClass());
+            }
             _linkRefPtg = (OperandPtg) ptgs[0];
             _unknownPostFormulaByte = in.remaining() > 0 ? in.readByte() : null;
         } else {
diff --git a/poi/src/test/java/org/apache/poi/hssf/dev/BaseTestIteratingXLS.java b/poi/src/test/java/org/apache/poi/hssf/dev/BaseTestIteratingXLS.java
index 45de3c2155..26627b5a9b 100644
--- a/poi/src/test/java/org/apache/poi/hssf/dev/BaseTestIteratingXLS.java
+++ b/poi/src/test/java/org/apache/poi/hssf/dev/BaseTestIteratingXLS.java
@@ -86,6 +86,8 @@ public abstract class BaseTestIteratingXLS {
         excludes.put("61300.xls", RecordFormatException.class);
         // BIFF 5
         excludes.put("64130.xls", OldExcelFormatException.class);
+        // fuzzed binaries
+        excludes.put("clusterfuzz-testcase-minimized-POIHSSFFuzzer-6322470200934400.xls", RuntimeException.class);
         return excludes;
     }
 
diff --git a/test-data/spreadsheet/clusterfuzz-testcase-minimized-POIHSSFFuzzer-6322470200934400.xls b/test-data/spreadsheet/clusterfuzz-testcase-minimized-POIHSSFFuzzer-6322470200934400.xls
new file mode 100644
index 0000000000000000000000000000000000000000..40f4ecaeaeadd45d5ef5c54040394ad23bed0a11
GIT binary patch
literal 3347
zcmeH~y-or_5Xa}>`0@)uKm~=<E371EVqs#m&{*0?VXa1!3yCCRp^f?g7WfDzYG*-X
zWuXtC@&;mj02?Y3UH^L=<di$OU`Wv1kl*d@%nq}+ACtY(Q>c7ijK9ziStK`ovH*Dv
zdI5EgCW8b!W4vA~c^#_%A@3%y;WN?wan%RL&)3h5wG)8{@HO`VKL~&x(3>XeL)i}o
zKoDRHPzZ#<5Qu;%h=E}+0!Bd`B)}LL2T70u5|{v!Kn8pqT_$fG84upoY<t;@CEDv|
zv)3Bs@Y}~)tk5pXJvzkb>`M$grWUH68(O#<^Tj%%?@^XEwQ*!ycs82D<PvJ}dD+-Q
zFs3lg?85VPxv^)vn&$D_{a5>bzlk64;}m;6benqc-JhU}$yvaOKEMfoTsoSX)rKKZ
zMVO&Ex<rc|7qo>IC?c$qN?TaJ9Oc1|wvRHjft{2m$#YHHu&K~D^F3pytiYam@`32S
zl(FS&8n+94lVX%Ecz%>+SxGC({Ip(4iU~|25~SW%3^vr0Vvw$QzUAhsQ&~%^L=`4!
z6I6ZNNuAc;2t0!7Tmg)yi!tX4;9LQ|?}+wVIL6Kupqk69uK=pGSj>8ff6iFg%+$rY
JQvU=(`wKrfZsPy|

literal 0
HcmV?d00001

diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls
index 70847a482cd28fd42546e61516cf7bfa49290244..cf344f0b847ecad437b31bced212587486dde191 100644
GIT binary patch
delta 1233
zcmZvbZA@EL7{`D2ww1QDg|V_B!no?DAB0f>fhi%dO@b(8ikkwPGAJX9we6(SrXXF6
zx-Ux9V|;0AWSSUbmSx$EF)oXVnt*Qu@q>nCF-B*c$)bMI51S63TUeE7oA&oS&pGG+
z{LeY}9y(_`bl!H{uDc!sE-x)DB}}hAt7(s_1=~$8*u#!N`{~66b-;dDuRLd7w9nd{
zp_djHK3&vosy)?o!d0bfx-tqY|MTxxQ-!Wv)rtyiI=Y(n_}xyP)1;S`e&_M4^MziS
zWJPYzm8d!&1@loX7fpJumD$rCtDUUzRcjiJoYM1x*042jmQ@3jo-)<qwd_obh1S&;
z65cC~)A{IBF8a)C>0R*FEUT)`KACB@_>yjQY`yyi118q+-Zj$Q?($AJ{Y*F|&VPD1
z@%g)PbFS=URatG^D!aKoF+38B?~g{to}!pPXVi4_F2_+D>^3hoR~q_Qsaf9llV9sr
zr^7YZ?dZ9qv$waS<6ts5@<>f%eO+BcQ=l#o*izrn5D08egvZo;s5}*mj~aX9#{NiX
zBw+;Bz}9ed_#vawh(zPYzUaY7Xo(@s$+}wbh>a(N3E`Fi)XHr<bF<Xs5bvvpZachu
z3p{%jIGW&60ld--Q!dGGmD~;6Zj-el^l&Q-7m*^?4*N>LzfJb&hqmp|SPCC^!uwZ?
zc$YMkb2@t`d{qG@-Qe5+gF)C;1s8kZ3o*3*ZunUYeJE67XtY-viJ_hM!i^62T{tWJ
zb|)McgI)JSg)0Tgez>a;#s_2v;_PeT+rrm(!vQaB+yj3IhlCA2cug1;o)I1uu6+Q0
z6b6Mx5gZow2|p6PD7-BEQuynGVy+mngAkE}4i7=AW33!b$lM$4@|9<07jHcYJ_YNJ
zzz4@5eG=}OQOWroX6fX3v6eNTpE}Z1<J60JRi+oPNwzG9rWIk;(*IM-nAgud?o9n9
zPmr~wjXqhjoM{Aem%5zklF2?-#_VjRI-facr+;Og)#M+Qw7f1s##Uygu~g)~b1G@_
zDtn}Tnt#h=R>@>m$z*ae@+jqGGC7&id}gT(h?#F_AtpChp{sZ10*-z<=unGu&AzON
tA-}AAHBGf$*rc}4Z!8)A1TqV9V`pICdwBB)GdchC2K8I2^NnBZe*<oa4dws<

delta 875
zcmZXSSx8h-7{`BimYhA)39MWuG72&^%TdXcq#&$ZC`Hp2MhpybDJh9i5v7O7%G-km
z!Bj78gmqssBw9>qfu>$8C{W8KO7JN{#p%0-1Jb?R`}?2so%4PF?{HcsjV<4eJtl+o
zG%z0w2G3|t!=Pf-<-&KRa9yXV+U$upPgkq;rt^l%QEkRFXtazydszMYvtm?7n$sRx
z;|z+Tdh9X({oQJZ-MTQVt1zPhMfE$}HVc;(DX9;K9d32f?vzEkvN;x2LP+I>RNaDV
za;%lreurL8_P7!h1uuPuP(nSd2fnZ*(Bz0xGo88}zgWmxYN64&Som5<^)0A3PCef*
z=jMM|)kK%9)G}RXZBgeeZq8YxZs^H_>>Rr`9`z(H>cS~~+Q#n2ipsi%s@j@U?S!-I
zmHIfn*nHgxrCMZ0jK?tH)>29*+|5CJiiP<^aLB$BNzf=<n+!>ESPfgCReH?c3j0ma
zoC+70!IT$f!=NP{I;=9zkg*LmZHEj=RFnl3%b{c^9FKsx9P#9ajl00R67KDR-c?es
zIadm<f&RVlF&bv}fh899NKeIaFq#kV#89vReu$wvg`kR|`~y-*4DC1w8_e)kI4B$_
zf*vuLQUcLp%y$U(*~LtmG$6*F3U3R~mqWc%;*P`cTSTsKn+w{7wZa#|`@&h_n9zF!
zJkn9EuvB<gcvUzq3<!sg!t-!wI|el?;Ghq(BIRT%G;>|9Yjw9YVQ7<%JK>}sRzHxs
zz2NWHs+!)0E8SY^r5kBl#9)oZHY7L8C#N~AsO5oVwKI_B>XKW9d|mR&mH0EYUY!fX
eN4y+>Z||Y(6WkhxpCf8jQ-Rj{!5e#X+VmH<($why