Prevent an overly large allocation when using HPSF

Add a sample document from fuzzing which contains invalid/oversized values git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1899749 13f79535-47bb-0310-9956-ffa450edef68
2022-04-11 13:51:31 +00:00 · 2022-04-11 13:51:31 +00:00 · f8e27ee19b
parent 0ac26e7b1d
commit f8e27ee19b
4 changed files with 11 additions and 5 deletions
--- a/poi/src/main/java/org/apache/poi/hpsf/Array.java
+++ b/poi/src/main/java/org/apache/poi/hpsf/Array.java
@ -16,12 +16,15 @@
 ==================================================================== */
 package org.apache.poi.hpsf;

+import org.apache.poi.util.IOUtils;
 import org.apache.poi.util.Internal;
 import org.apache.poi.util.LittleEndianByteArrayInputStream;

@Internal
-public class Array
-{
+public class Array {
+
+    private static final int MAX_NUMBER_OF_ARRAY_SCALARS = 100_000;
+
    static class ArrayDimension {
        private long _size;
        @SuppressWarnings("unused")
@ -33,8 +36,7 @@ public class Array
        }
    }

-    static class ArrayHeader
-    {
+    static class ArrayHeader {
        private ArrayDimension[] _dimensions;
        private int _type;

@ -47,7 +49,7 @@ public class Array
                String msg = "Array dimension number "+numDimensionsUnsigned+" is not in [1; 31] range";
                throw new IllegalPropertySetDataException(msg);
            }
-                
+
            int numDimensions = (int) numDimensionsUnsigned;

            _dimensions = new ArrayDimension[numDimensions];
@ -86,6 +88,8 @@ public class Array
        }
        int numberOfScalars = (int) numberOfScalarsLong;

+        IOUtils.safelyAllocateCheck(numberOfScalars, MAX_NUMBER_OF_ARRAY_SCALARS);
+
        _values = new TypedPropertyValue[numberOfScalars];
        int paddedType = (_header._type == Variant.VT_VARIANT) ? 0 : _header._type;
        for ( int i = 0; i < numberOfScalars; i++ ) {
--- a/poi/src/test/java/org/apache/poi/hssf/dev/TestBiffViewer.java
+++ b/poi/src/test/java/org/apache/poi/hssf/dev/TestBiffViewer.java
@ -40,6 +40,8 @@ class TestBiffViewer extends BaseTestIteratingXLS {
        excludes.put("XRefCalc.xls", RuntimeException.class);

        excludes.put("61300.xls", IndexOutOfBoundsException.class);
+        excludes.put("poi-fuzz.xls", RecordFormatException.class);
+
        return excludes;
    }

--- a/test-data/spreadsheet/poi-fuzz.xls
+++ b/test-data/spreadsheet/poi-fuzz.xls
--- a/test-data/spreadsheet/stress.xls
+++ b/test-data/spreadsheet/stress.xls