From 1b88529d072a9d4462c445a9953b898cb37c6913 Mon Sep 17 00:00:00 2001
From: Dominik Stadler <centic@apache.org>
Date: Tue, 22 Aug 2023 14:22:06 +0000
Subject: [PATCH] Bug 66425: Avoid a NullPointerException found via oss-fuzz

We try to avoid throwing NullPointerException, but it was possible
to trigger one here with a specially crafted input-file

Should fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61644

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1911842 13f79535-47bb-0310-9956-ffa450edef68
---
 .../usermodel/XWPFAbstractFootnotesEndnotes.java |   4 +++-
 ...minimized-POIXWPFFuzzer-5569740188549120.docx | Bin 0 -> 6043 bytes
 2 files changed, 3 insertions(+), 1 deletion(-)
 create mode 100644 test-data/document/clusterfuzz-testcase-minimized-POIXWPFFuzzer-5569740188549120.docx

diff --git a/poi-ooxml/src/main/java/org/apache/poi/xwpf/usermodel/XWPFAbstractFootnotesEndnotes.java b/poi-ooxml/src/main/java/org/apache/poi/xwpf/usermodel/XWPFAbstractFootnotesEndnotes.java
index d626350298..c6bca6d5ad 100644
--- a/poi-ooxml/src/main/java/org/apache/poi/xwpf/usermodel/XWPFAbstractFootnotesEndnotes.java
+++ b/poi-ooxml/src/main/java/org/apache/poi/xwpf/usermodel/XWPFAbstractFootnotesEndnotes.java
@@ -57,8 +57,10 @@ public abstract class XWPFAbstractFootnotesEndnotes extends POIXMLDocumentPart {
 
     public XWPFAbstractFootnoteEndnote getFootnoteById(int id) {
         for (XWPFAbstractFootnoteEndnote note : listFootnote) {
-            if (note.getCTFtnEdn().getId().intValue() == id)
+            if (note.getCTFtnEdn().getId() != null &&
+                    note.getCTFtnEdn().getId().intValue() == id) {
                 return note;
+            }
         }
         return null;
     }
diff --git a/test-data/document/clusterfuzz-testcase-minimized-POIXWPFFuzzer-5569740188549120.docx b/test-data/document/clusterfuzz-testcase-minimized-POIXWPFFuzzer-5569740188549120.docx
new file mode 100644
index 0000000000000000000000000000000000000000..6947f6fbec512e02f94bd258e44fa018b3538269
GIT binary patch
literal 6043
zcmeHLS2!H(wjNz{Li93v?<7Hn;MYct-lCT=7@g4~x<S++q74!?qDCiruMwh?K@x5B
zUbgIg_Bs1J`@cQUx%l^Yv2ND7`M&Rc*SprM4aUNz1mFVj0RR9Hz~}uTE)@d+D8~f=
z?gQ{KO%-6SUUsft7J6_uJ5O^#KNn|~d~8haJOJih{eRA1_yuZTYk<4t$Rg39x4>=v
z%nwY8g(Y~huXv3*wwk0N)Tgo85a?}dN-Z&~#2;Xxmt-4ne3ye9M4Qf!Dvacm=oL6d
zhmhPXKOLPj48D6G2scpRBoin#(&SO_$+?Sxp3rI-+^byK40)YF{tn8cGxnK}-zN04
z#b!n;Yw(Efo75X^-9+lH)pt`OWY~1tU1X?<`-J_|a{J|?Pk6_I)<o^uwrF@1G5Kk^
z5cA&VUz#X*IUMR(9|%%+TscZbd%H+v6#vLEeN8O5UW}2Huwg!n9HXmU5Re~B%71aF
zX@Ys1Wz%^W_RecO67LQFia{6Sl+$i;!>#R$X~X1>)n(1Ls;0HUX~wMCsTt(*9Fy-H
z-zLLu-xVrSs@hP}nejq`SB1|vE~~sTU|vC3nP4+*f$QZ5r!F2iH_0fM_^OyCu8ffE
z!FltgT(_rp_~RbpM)a8rS&T1f{|Wpo?o&pq0CY+D{_*aL<(O}I5wZWrXpWY4hLLO7
z9tdcD<28IMY|~toxye|PveRyVg#!TG-eLi?{}-8=lIZFW?+~ha$5p~RGFy1qIeQ8T
z{*M14@n4v^|8n)X<asr$r$muxoMo&2pojAWtdp}#Do9_}Ev)c2+Zeti!-aEgtpzMi
z+Vjshj(!YjO}`C$J0)EtgZt6S_-o#`x0cGwP(PRYSUhdxe$&iQ2V&*XN{B0LT1X}-
z6)6)ZQkMU{Ch{peh}B-KvcN2&zfG?xkwNvIZbH&9{c&7bQ(NDWAy(#__jAU?5C^ne
zU7wMp#WaceL%LuBd-S)V7^;3eE7+`{HLtU3uSdKS&oMupv+x*4c9L~Df#eD#|Ld{h
ztwrps2>yG>dog2&f!<kICeKN|X7k~FAElXr#{3V00xlK8YJ?m?ce3{H9O*QXf5d&4
z>B9y97y$SfzAz74p??s?7G~q^a;JU2Mem=a!MIbtyXwF8DNh~I>=GsmN2|0btVz2+
z%VW_iq7I+pql_urat>D9j^7qYtnbTLQ$czNfp(2@&TE@boUY$BuVIx#C-BpXXu+Sk
z`Au~RPnv?7njB)-AZoKnj1F8kXLGaX<vGZdHKE4$JLccb<L;LOH<=&#mSPB)Bc9N_
zc!vC%90-9ffsX~DE3y2h9@3|lJxLDLJUBIPCx5`Ambh|HdrO_DWb)^r!d|SQDL*h_
z+%ClI-?ZRlhf`sq!I`U4oMBk3%jT!CBD}!x<_vr)y17B~htMAO2$lyTKnCJ$i}w(k
zC@IR^zBt1G<>KY5ajsDD^^`$VOhz+=ojRTHyQi7;HhS{Jjqx$sz)9vvRf4Ar-Qj29
zi$m?FBKMWaf{(5#m+#>5??^kXCAWKhhce##008-2#ov+kuNd1l8ggBbq+F!_DQo74
zDx?`>t6((TQ@5N_G5HL^`xI7z)}D%{MNq0Zr4Cdq>mFe>jU^mu`Ex^heNc2tHLCOh
zR*<ttElp#d@PqH>B@lsZ!)f)D0k^C~@lN|e{-S}mW$BlF_s&0a+PK7Lank=vp|1JZ
zE(Mt!Ml_{zlCi{T&14A37f(*~$I7Q|M}11hO=<Mzz`ODq(iw2oH@xgjqr$7xHi;Pd
zIqMggdL-<VIW=1Nq&v7Iyk=<w=&I_H!w0<V^N9-RZ(JO$dA@eios>c+YJ?)xKNm1L
zhfVCo^gOT)T2?Lxx0=uBkv<miT=>lNZnxXDe2CW};)tohVR4PbU9=6o{rn}lbv+8m
zx&ZRzQym!Gw#@gv8o7~15nHwB_?~dfo4>&K5(yI$aQ+lChRCFB%P?0@**{zNJ6NP4
znI#>u`k8<`W;<F(!aOz%BdY87q-L%NaFhhER2XaBhny^%aTd%D6zBHVY#J`ZPZZoU
zYvbdm4Egi2233U?O*q9mmmhkm$qpbSa0lFY?petjsvRN<*pVqk*A_wWQW3RsACosj
zD^my_%4E&s(0FSFs81=eMfGE=2(JXEg1peQLZW-WF!NJ_#f|k0AjHx-+`mj8+FUHn
z_Kq*`u&os=6;I+%6xV<0DP1|;6v5UC$Tm_)XV6YQm4TByE3gJPakG=o)xIYG5#1^&
zDRDXO65v%LSkzTuol{-6tYlp-BOyc{t#xySIwfuY0J^%UjURC7&eu~ih%h%oL3PM3
zj}B)X_%kgG-fWiom8-TrU#O-dc*fAiTZocy;5K_DMpd%0H<38Aw&|H~{Zmg=NeIiw
z$(r#efjmrwOYGn^@ezCNRh+9adHFsrn^(G37{!7o7!=oCt%_cMtAXf>Cq9thm_%M9
z=Jh2ta$Jldv9~2=Ubw-H)SnAZaww|(kF>QlW7Kob`;o!goMlLWZ7%S7d+HhOw7;06
z;jZ3zB^T$%w8%{Po^3^ab$uQ0y3u0HEqv1}93!Q0dlSBonArHAA_%L?YZ)dV^Qsw2
z=Udh$vWi-*)C&~Fx{)}V%iP<-k{Ts(;}TFXQKTy-1z<OfVq(xbRUzb8y1zYngRz7=
zQE_dU&Zq)A#$f%{=lcx~RA95K*Uq1340ZPh^W8tEXuFo^n_eY|y2i7ntvD}vet-Vp
z#inKcgP+t(pPTW7O$J~{m`<e)`N&)uJ>%wNrsu2RcwFu@2^w+b+N$NmDrm{|hmfY4
z)GS7ZoSf_2w;g^16O}0|o5t}(6!TBdNnR^p*Pc`EX*Sky2#}?_Dm2P(;iDBjX`ve8
z5l#v<&sTg_K2SC{JpLFV?pqU>V0W0E(4BUU;osK%o*q13+TIdKss(k62+v_mf2?7$
za{cpcr2!oB^+2M}GqmS*pRLE9i&-dxF5uT$W!+Y1q^0|Hb@o@$zO}V;zsXLZhUx-9
zh8d+)s_GdV2*36;jyn0#Agy7vQ&kLWL8VC&qIx%9>(biSih5Lph9u%C?{GdcFN*tw
z+TCRn{?xjbdHtsoC1S)Q^Y`Z0dzbz19%koi>k9L-^Zc!o!+Jxm^TK2;cRdWhWj;BZ
z(+vmQ*zlO%2kUH5tt^Avf`zB#=2DPHCkDkr=D+y|?x{#~7p>>znetvCmd%@F9Ag2o
z<dAZ`ku~tsoEIPgN%pE&gP9&2NEYhKwW_NNyZIk1&=Q7k*ucUO>EWF0FYwH{O`_1b
zcatn4v)pXOT?KGe9Eo<**5cIhsVa*&F<;dg;}bb08vVrS{=je}d;?lLeN-U0A~RB7
z_@<jg%wc!DQCFW&u1Q!#;<Gy*$IcrF{X}<rKCs6V`xl69;vUnM{}Trj7smvDd{Fr!
zpDwh3xAH+jGw?C6qI%3ef%+%#{j0}(W@B-0@dwwiQH%SUx2i21h;)(~UD9JUY;=C$
z@w3SvyZPk(q3<K5?C>Lv%oF)jAu>q)EiByX=8>+1kyasmB%^rk`mSWnDYD4<_zC^f
zliq~dOas3c-!$p*99e6Fb3HfU<?R|#3PU1trbQ|yu3tbi3YQ_|GYrpY4slkcZ=^x2
zhCIJAoWo9Ekpt<>uhSJ}&ET96q2-ITuf-~<Ff>)PXwM401`KCP*>^SM9pifOc=ill
zt8jl8BvG<ZPB15-z#n+6*;CbHhFWaj$#~w3C4S$9VS`KR)&oZxsZ)zV_#W#S=Mtfy
zA25|Tmv;WV;>$0uufb5hxNf|LE5bjMyc)xp)r`Aw$>~n^DE=vV_Ar>&|KLS;$hGqh
zFNT}4ifv(7LD5R#&$)k;CXl)@78%vGrtKsioSJjFU&!MhPZ1_L_&WIbq_6KZ8_a4x
z66#2`l^jv!B#KhYoJp3Eb>SpTKL4!VLrJ5P+`6~s;~o6TIhKxv2EWsx-zu=GYflo}
zRD1K>z;UC<GNQwhShFTX>r_p`6BeKCHlBua&ia}tKx*s|DmpHwO6P!hX`RpEyMiRC
zDhz2#Gb75?Th*M{;hXtPFQERDvgAHN0031#dC~p;b};fmeT=Q|aJObz>dc((6mOr2
zS+qgWyg<XC)JkW7;!Kd6ZPt2UZ4`zQqUw9<gEr`UP4N`_!k8cXHn*sQ_YE?0&@U>-
z5NwC43lDW;)9}_mIEDB<`9s+72TIxD=??o5eI`#>5-s>E&<_knkYUsL_VEPmY^UUN
zYc+2JSsHzHzL@s9hZv1+vg{%D&gSI@9BqRigP7<d08mV_CX>lel|k^aq`7T{=$`Q1
zhu5+sb12JDaSh+#gcvsC>}zlto+-$lo-4_I#gO?=N0+=7n%=rQM<|RQK=u0@0l$Z2
zFGo8UyMIKH-_+kW9&@GtgQlHrpQNC*zUsboe8D6A?Qg`jkb-Xlo9-=4Xic%^noL@*
z;}2>HDlCdm8H%yZ9<i`Ii*2YyuYeTt@DWpnD{tSJ2XHMV7RKj=Zjc2yyjZ@KJsj~{
zKUj=LnzOR6yD#!t@WZ3KLFg}!iUS@t?+}8Sk_q~PhW*qxm!ehB2b<04@)bL(<Y<<>
zgmux10OYfQgN3XkE83x08K6iDy&Jg|P6BJj7GVosAe-bv3toZIKQelm5boH{eamq#
z=wxY`^XS7cj$`UG_hBMr6nrJrft*sA(gV?L!JlM7G_s7cOw2OPc+0t+Kl&m+wd+n(
zda%D$&odw1WQyKBY!z%Qlj*M1+sog5J)HZnzDYDHU6=L!E9A&T-H3%+I>nLiM!Y)t
z5vTmnj@r)TMR+@gutY4h&Sb;@-Z=)SM2D>#q|1z{1(YoG`)$abZ1JP*OH4`|&KPbZ
zXtSa5N(Clh?<#fT{@@S8E9q*nuj}A=Fu4a7*&T*-(2<S&u!k(M7FiwjLSG;72`+`m
zE1|M!Ye^iNvpsU<aI;(}JJSJedTOh>l(t>$^R>|!311<eLY=-1j#w`_ZH*>qN_6CL
zzeOp+z87<GPh;+jbTmHn8Aulcn@A?N<;9c+pt)!e_Jip46to2h9!_$~%)EOW=y!Xw
zdXtcrq)_(~#iDimeO~J((2w+b|7RIBDTuFkNakjS8FaP&tEfkgyQoBJOjh=6XTRf6
z2y}7XjEA!)@iGAJm#(Ckzhz76a)?hP_S{{9>xsK0!ZjL_V=X|!{;DeN+2{6m@_0c(
z;l^}~$_cpcPyE1g(ma^YX_wq7cf+lV9bc}MS*-ycK6W4$BxrTh9~x|Il#UCtUbW8X
zbFpbLWp9qL;cEL}g&8CP2KVjRt1x`6r+Gz1qM}YYi9RC%;!H2TpW5HzJjO{6%o}$>
z&}BSmDg*~;N@~PNI%2!iQq2<W`vlg&2_+u!Rr_aeH>ng83=^cHDK;AR37B{psH(QV
zN3Sym6PH!042-Ir!Og(D(Oz;i${#>U)zKS~fB?^@?FeKT)&JYt6LJDocOF#xvB^#(
zA{2qikYVCjO4ZBjCSDgcP8l)W(>#!%=1AR}r6teD>*ghyR;@JMEOFW((Yp(Udc0H_
zDIL7zNz4?u*bU{J$Sd9=;%%&{=9|hRMnpSt6+i2>X<N0Sn}5+AwbS1@4HW9gcT0~j
z-dM*>Egz+(qL2AWSmy<YPiR?kZ1b*yxk>dNeScNt%;-Lf8i|B+sLe))>-*?iI}N_5
z2_D%i9Y55z$=0f8&-4ZrCTg|E);mPr1i7j>zoVcDjOIKOCy*&MWfjRKixJs(93Wz5
zwU%CfwbH6syzl4TD!a(ew(c#3xVV&6?7m#kV#oSpB1E=&f?|)|gf+nq<xWv{au0R<
z(b)~;-wd4Kcu8@b>wE<4=pp^n*5@Vr*uV2G^V=g}y7LEYygj{OE=DfS|78+DyzE^5
L-v0g%9D=_A4)LJ0

literal 0
HcmV?d00001