From 23369586da33ed3e3bbc8ace5c472803a60f7536 Mon Sep 17 00:00:00 2001
From: Dominik Stadler <dominik.stadler@gmx.at>
Date: Sat, 21 Feb 2026 14:11:13 +0100
Subject: [PATCH] Avoid assertion when handling slightly corrupted emf-file

Also remove methods which are identical to the ones in the super-class

Fixes https://issues.oss-fuzz.com/issues/486039135
---
 .../apache/poi/hemf/record/emf/HemfFill.java  |  23 ++++++++----------
 ...-POIFileHandlerFuzzer-6466833057382400.emf | Bin 0 -> 41 bytes
 test-data/spreadsheet/stress.xls              | Bin 80896 -> 80896 bytes
 3 files changed, 10 insertions(+), 13 deletions(-)
 create mode 100644 test-data/slideshow/clusterfuzz-testcase-minimized-POIFileHandlerFuzzer-6466833057382400.emf

diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hemf/record/emf/HemfFill.java b/poi-scratchpad/src/main/java/org/apache/poi/hemf/record/emf/HemfFill.java
index 4930959fde..477b6ecb00 100644
--- a/poi-scratchpad/src/main/java/org/apache/poi/hemf/record/emf/HemfFill.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hemf/record/emf/HemfFill.java
@@ -35,6 +35,7 @@ import java.util.Map;
 import java.util.function.Supplier;
 
 import org.apache.commons.io.output.UnsynchronizedByteArrayOutputStream;
+import org.apache.logging.log4j.Logger;
 import org.apache.poi.hemf.draw.HemfDrawProperties;
 import org.apache.poi.hemf.draw.HemfGraphics;
 import org.apache.poi.hwmf.draw.HwmfGraphics;
@@ -45,6 +46,7 @@ import org.apache.poi.hwmf.record.HwmfFill;
 import org.apache.poi.hwmf.record.HwmfFill.ColorUsage;
 import org.apache.poi.hwmf.record.HwmfRegionMode;
 import org.apache.poi.hwmf.record.HwmfTernaryRasterOp;
+import org.apache.poi.logging.PoiLogManager;
 import org.apache.poi.util.GenericRecordJsonWriter;
 import org.apache.poi.util.GenericRecordUtil;
 import org.apache.poi.util.IOUtils;
@@ -52,6 +54,8 @@ import org.apache.poi.util.LittleEndianConsts;
 import org.apache.poi.util.LittleEndianInputStream;
 
 public final class HemfFill {
+    private static final Logger LOG = PoiLogManager.getLogger(HemfFill.class);
+
     private HemfFill() {}
 
     /**
@@ -194,11 +198,6 @@ public final class HemfFill {
             super.draw(ctx);
         }
 
-        @Override
-        public String toString() {
-            return GenericRecordJsonWriter.marshal(this);
-        }
-
         public Rectangle2D getBounds() {
             return bounds;
         }
@@ -321,14 +320,8 @@ public final class HemfFill {
         public HemfRecordType getEmfRecordType() {
             return HemfRecordType.bitBlt;
         }
-
-        @Override
-        protected boolean srcEqualsDstDimension() {
-            return false;
-        }
     }
 
-
     /** The EMR_FRAMERGN record draws a border around the specified region using the specified brush. */
     public static class EmfFrameRgn extends HwmfDraw.WmfFrameRegion implements HemfRecord {
         private final Rectangle2D bounds = new Rectangle2D.Double();
@@ -611,9 +604,13 @@ public final class HemfFill {
             size += readBounds2(leis, destRect);
 
             blendOperation = leis.readByte();
-            assert (blendOperation == 0);
+            if (blendOperation != 0) {
+                LOG.atWarn().log("Unexpected blend-operation in emf file: {}", blendOperation);
+            }
             blendFlags = leis.readByte();
-            assert (blendOperation == 0);
+            if (blendFlags != 0) {
+                LOG.atWarn().log("Unexpected blend-flags in emf file: {}", blendFlags);
+            }
             srcConstantAlpha = leis.readUByte();
             alphaFormat = leis.readByte();
 
diff --git a/test-data/slideshow/clusterfuzz-testcase-minimized-POIFileHandlerFuzzer-6466833057382400.emf b/test-data/slideshow/clusterfuzz-testcase-minimized-POIFileHandlerFuzzer-6466833057382400.emf
new file mode 100644
index 0000000000000000000000000000000000000000..9e018a8074bb516397acc8278b2e114f8c9984f0
GIT binary patch
literal 41
lcmXS7U|=}*|Nnm=#lXm5#J~V#E0iVX#K$}Ph5&hRHUKUe4sQSe

literal 0
HcmV?d00001

diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls
index db5b3318d1b71559ca228f7dbe1f17689049b7da..ed7f4227220839c6a9f436ca5ad6fc83ebfab24a 100644
GIT binary patch
delta 2664
zcmZ9OYfO_@7{|{kE!V;eaxWrxEJ916K#TPP3Y{=yg6I&HQKcA7sSI%;E=!ok$=s4{
zlI(nOd@=Eh%d(8bF3U!C`2v2K*_XM+Io-uM=g{38W9asrw|^j~G~wa=-sk-O&*6Pv
z!q~iVY~J|pd*-ZxAfvB%);xO9KQwaqXz<u+mdw6Pnz&+q)l?kISo750#Qr`*PxQnm
zgEPGIT&um$dpO|V<_q=*{KMYkCr<c>ZFMzub#ABAQR{NLt7{w%yMJ)N#n=(wb3S{(
z7d&Kd2?YFye1V-Kz7hX&)cX8gLI3EG|KNzfKi?nhw;dg@4Ul{4<zS4-`UdNbVa!a^
zoi1g}na5ahBV+GmGj^<xv9GciOQG4jqNm<J*3DC9JJRJr*bB6S(`Rm?;CNo+Y}^Vp
zG9#NUSy`KyiOr5?EboeD(QMALa-G8Y+|-N5AG~tWzzyPA&R@H1<PWupzMDpVQrwE;
zsbV3Ok2gJ{U*Ad2SUS5--@_|TD?h2jD+8@QTE1qa)tTjMCYHgz;i0iK-pG?qQ4__o
zQ(XQO`aGQv(9z;ohBC>aLf%Y%!JyrMQEtd&--`KcUdC^VLJKeFw?w-v--#2ld@nA_
z@`Lz7mLJ7q3(w)Vg(ZjQ)c*uajBcsJTrtc*&f9ctnobwPqL_s~M*TeWP|&qIB1qfG
za#mV?h9yq1#3`0I#S*Vu?ur{>%YwB00!xBoNl+{aibXyine3iuU#-t_gi8Idup}y$
zM8%S*Sdw(hoR|(<zLu8zuxN@!Q!JWdN!Be7ggsZErIkwkZ?L2&mK4R3qF7exmfyu>
z*z$q2`~gd<Vo6mjsfr~{xBMxR)^Hd9OL*7NeSav1W%*l7$}%sm$nuYPD9eH<%%jeK
zMUO0t;#?lVM`Bu*$KtLm|AjL0`6Yva8N_FWe4TtJ?o*{=DWW}5qEi;5I4g@ud|E_%
zqQ#snF~U+zC02N4i4()J#EVHPT7n_`mXzyfGmC4*JlB>8SP_P_nx^-<f(|Sn!=(q&
zrXMm%6qb-q6YW&AWbCYjZoGt-X(@mXz>iCKuC@xW3h<tUsesjhS*1MJlLqJvLt4pc
zoDtL1=+mU5w+4bC5@;EKwSea(%ml0hoRLvkfG#D<6%pmuqq5QKh9G|}SuKF|fNc`y
z0ImldCFofV=ux6P5m6iTs9f}JfZ(dMt^wQ#xF}&B;3hz;m0&*L<}eI(S@~NAtpKzk
zOy4Z0&O)$8V#UlXD$42h6#;I6vtPnuz^#Di<@OT5Ccqhjo>IW(Fr<~dea#UE_38&*
zi(W4T`4wcf0zLuQCSe)iHo#GWo^^mNN>ockRI46Uj^0)Xu1aeK;FExh650UU0IfEP
zvIA~cqP9mwwd+xp=xv8!j0Bnk@F~EzC9DG60eDSDRReY?Q5_LcoqCiLy`2y^>}0J0
z+zGf(!dk#Cz;S|}I>22@)UJrA-FlP@y}Kc}DXnh6rvc5C1nU920o?>W>jC#DQF|hy
zdh{p{dV3&vU0OE)?gji%!i|9Y0Po1CO@RBAsQnR9y?WGU^!7r~;2>)Q;4^>$2OrcL
z0sEGssME6r(5FQCBBBoHQCrb_U@5AKqM85?hG8gB#V_&8HM~B`On-J7XyaIe^`$J)
m;iCV4x?S8H`}~fH9_NMYe4@aZ78-N$QEo7ohZfvCI_iJ2?Zz|!

delta 2472
zcmZ9LOH5o<7{||dnHiX2;0{n=fbx>}s{_Mh7^b{RE7cY$wpc2)EuxF2L9C?)qb3An
zx@a4kka*&PRTGV&i&hdRjY%7JYS|bU7%kFjebh=VK3Z%={LY;};u&V~&;8x+{Ql?O
zdl*}>jjh-&e(3hj4+;Kri5;VZFTOl-boiwcZwrsOn=tvA`;0v|PKb_~{)88f7}xBR
zvqPWEc!y){rRT(<SRvfJ?qsnL1-U{@wFyy@A;g8lLL_^I7-4JJKGQkUM@e%%sj5P}
z$t#F|%aa#R=C;o{H>ge6#9YzFwO!c7+-TZ=s~o~1mNPf*b2%-~cwW7C`W+ihyl0RR
zp0Lq<Q@*>2&V-MpQY*Q~$>8-Q#%Y}79Y5uV=hLW@cjMad*p(;j^U`_4yiP)_@_SHg
z(#3+jnMq~zjf~Ht3R;u_6*uIdikosm#kcZfj^KA#=dji_@Oou&2!k!R_}&%kDn?}T
z&t~1@-SfTgW$tFmqFXY=5&Qv`IL#8LS>nY1El$hwqnwCXrj_L<SX`RLrCD5>CEl{!
zmTM79RyJFHhDCj?bg}+KZq4G>ED4t7jvVIY{6wdf<ri2IHA|vqNz^Q+Wm%Go5z8ZG
zxeJR&vv@R%N3$eZmS1Iej<uI#9Kn0ABx{yr&62EHQY_1|yc)55t>QQNAcq3<yY%Jq
z=l?_YtN2r%QgL6-sCXb3RjkPPJf8eZcBptLU(aLsNWQP)Z~29a)$m##O&i8PBrg<D
zxv@s_OHL9prjXZ=45={W2^BGNx{%k{<h%;Ij49%9NS}&W*{>o_p5ic_eCXBrtFWHb
zC1;B$+l&XS1YBZBZW&+9>k?#u!%W184<pBmsmwG1s{ubKrtFXhuqFce>I(l~*YLYk
zCw%>k`>pqvgjqiXRKmMS2CN0FQZNOu4)6fO&?dlot*Sn%N*&O2k&4*{2remW8ejl$
zLBVvuMnGpNS9t-0T2(Nrs>!O#z-$u)11vBz0YiXi70d$M3V2ynZ3b-Cs+yy!TCA#U
z%(g&~RL0gEz}5&1H<!_rVdjFiVf1zdkLCfkGb|J?nOe!8H6L&rCc7Ah9s}%%K)zC+
zwIga*+pS#{V0JqMmnylc5O4?Jf`UbWj{`cZ_yrULc4}3fQB^ywsuIlZgkXRLW+~tk
zfM*pf1AG$jvZ^Wv+@)3RimKXeRaIbiHv~yr*jfqL1=y@$72s2VM;V5;0CsCt-BDG0
ztSTR7_dqbKtkr-$fJ+M206q<v;o~Yl;9jk2Z&cMjtEv{W`ye>Z0<#XV7jR0!dcbD@
zKUGx?fcv$o{ZUnYR#gDAeGueVv$YZM0AQDbLBMALUt<_*0_@kS`lG52T2&#;9)#d?
zW!(z+9N?;g&47mh%W4?503HVHt)U^a74XQqQ%$x34y-#BYzKUP-RWnz4RA05!@Yi*
zCYe`DHzuoX&X4LS7~>8I(Z>51U%l~)SM~%bMfL^A9rsr1)oZ@<*J(1}wkbRopiwdk
L%EJ#E$r1A}Gh~*b