From 2c5264277a879b4adba6593b79053fbb8ae4df29 Mon Sep 17 00:00:00 2001
From: Dominik Stadler <centic@apache.org>
Date: Mon, 7 Aug 2023 14:32:11 +0000
Subject: [PATCH] Bug 66425: Avoid an AssertionError found via oss-fuzz

We try to avoid throwing AssertionError to be triggered by input data, but it was possible
to trigger one here with a specially crafted input-file

Should fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61251

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1911514 13f79535-47bb-0310-9956-ffa450edef68
---
 .../apache/poi/stress/HSLFFileHandler.java    |   2 ++
 .../poi/hslf/record/EscherPlaceholder.java    |   9 ++++++++-
 .../apache/poi/hslf/usermodel/HSLFShape.java  |   4 ++++
 ...nimized-POIHSLFFuzzer-4630915954114560.ppt | Bin 0 -> 12800 bytes
 test-data/spreadsheet/stress.xls              | Bin 59392 -> 59904 bytes
 5 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-4630915954114560.ppt

diff --git a/poi-integration/src/test/java/org/apache/poi/stress/HSLFFileHandler.java b/poi-integration/src/test/java/org/apache/poi/stress/HSLFFileHandler.java
index d496d0b85a..f25da02fa8 100644
--- a/poi-integration/src/test/java/org/apache/poi/stress/HSLFFileHandler.java
+++ b/poi-integration/src/test/java/org/apache/poi/stress/HSLFFileHandler.java
@@ -84,6 +84,8 @@ public class HSLFFileHandler extends SlideShowHandler {
         }
 
         handleExtracting(file);
+
+        handleAdditional(file);
     }
 
     public static void main(String[] args) throws Exception {
diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hslf/record/EscherPlaceholder.java b/poi-scratchpad/src/main/java/org/apache/poi/hslf/record/EscherPlaceholder.java
index 28dff25ce9..f474f2171c 100644
--- a/poi-scratchpad/src/main/java/org/apache/poi/hslf/record/EscherPlaceholder.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hslf/record/EscherPlaceholder.java
@@ -20,6 +20,8 @@ package org.apache.poi.hslf.record;
 import java.util.Map;
 import java.util.function.Supplier;
 
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
 import org.apache.poi.ddf.EscherRecord;
 import org.apache.poi.ddf.EscherRecordFactory;
 import org.apache.poi.ddf.EscherSerializationListener;
@@ -32,6 +34,8 @@ import org.apache.poi.util.LittleEndian;
  * the slide layout as specified in the SlideAtom record.
  */
 public class EscherPlaceholder extends EscherRecord {
+    private static final Logger LOG = LogManager.getLogger(EscherPlaceholder.class);
+
     public static final short RECORD_ID = RecordTypes.OEPlaceholderAtom.typeID;
     public static final String RECORD_DESCRIPTION = "msofbtClientTextboxPlaceholder";
 
@@ -59,7 +63,10 @@ public class EscherPlaceholder extends EscherRecord {
         size = data[offset+13];
         unused = LittleEndian.getShort(data, offset+14);
 
-        assert(bytesRemaining + 8 == 16);
+        if (bytesRemaining + 8 != 16) {
+            LOG.warn("Invalid header-data received, should have 8 bytes left, but had: " + bytesRemaining);
+        }
+
         return bytesRemaining + 8;
     }
 
diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShape.java b/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShape.java
index 8dd66e94fe..007259230f 100644
--- a/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShape.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShape.java
@@ -247,6 +247,10 @@ public abstract class HSLFShape implements Shape<HSLFShape,HSLFTextParagraph> {
     }
 
     public <T extends EscherRecord> T getEscherChild(int recordId){
+        if (_escherContainer == null) {
+            throw new IllegalStateException("Did not have a container for fetching children");
+        }
+
         return _escherContainer.getChildById((short)recordId);
     }
 
diff --git a/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-4630915954114560.ppt b/test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-4630915954114560.ppt
new file mode 100644
index 0000000000000000000000000000000000000000..c70d8259a82d6f2d78c9f438a43d3dfb775dda72
GIT binary patch
literal 12800
zcmeHN3vg7`8UF9R8}cA<7m^@83RfppT6qM+I80SoDk9ceQiC0^SQ5zwc3iUQZg^^k
z_5Do6fkD%D6d$c<wM|E-MX{BsRnevzA9SSS2pw&!wNqC`K?Jtncg{V@&1M&gqT<w(
z{P&!D9{>6O|NQ4WkG<W`4%>12Z;txA<b)~W$o_1p3<~61NRw0uiwsAC@B6datj-ic
z^2_iAvcNvbdISc~0fj(CAdY!4s036BDgzA$m4k+WhJsuWTtJ3_IR2zcq^m$90(oB`
zQ~Y0wdafk!*Cw8vAuWiLvI3)b@L>cz#u$!R5N^M;>8G=v9d^~f<z9K{Yp(}6wT_v&
zZRvYktO{n*!4T@u`!b25U#4P822Z9Vy+D@8Vw6y-!eNZqmW^WiFXbp)v$urxca7HX
zMN+T&SuBl8_p{JnGkQ;=??&_-L%OB6X}=Wv=e#jC=vSdYMhzPw6!p_}VDd~x|EBMQ
z)t_^A5{-c1%InUxkj0WWoH2M$WAg66#3nIKJmCB{_~7He<;puwC0-`T7MHkCBhR~3
ziRG?rE&euQk>9z~@tg*0#$e4j(vPgGkS$M_*Dz*ayV>_t2x;TUc6k~3#ZQ&jFlHbx
zjZAmB#G|xC@Z>oET=k2WlJR(Gb?$K~D_zT$Qiv0gJ6(<*e01Mb#K(CeO^5~URm`+R
zRAaWvX5Ugd+M-<FltM6qXL(w6q$9R&LE|(y4K$51R63MKpOkrUXrqcH)5#1Ol$pb4
zwYKF^NV7LGWXzx%`Z2}fyCLE+b!T1XG0m9R%(Ba6aHa<FrS!y-%gMIns%d!2qgEIw
zz1c!m$>S;~Yn7nAWuuRhh>Ut0!%SW!tiilpn8Kqa;~vB2@~%TnSLRXg>XGKtmG0tN
zG#V|HAzimB#JUf!>3m<F{>dr#7q5MiF}rqUkF$`CWWS?~g*@5kOu};ts3{O5De<qi
z%TC`7_|DM1H=Df=qhd*gw91DLO~BBKgn1{|2-d05k~Lz7=$a-_jnPsOI#p%p{@Hhs
zSjW4$LLOLNUPG7c7XV(aTvIU_1+H9IL9;_?mu8%={^|f^vt=S2Tjcr*=3~(eDS0;|
z37RU~+;1Q$@;5bQL{1bBJdQ`snV2LAxlm0O56~3H#AyNudNKp~1ZqO%EO5{hOmi3_
zr(u{Mc1ME4cl=r@w3&(8jjDZ8^^jX0<mqD2sg)UYPW+x=nUr=2I-Lm|V1@}f?Turr
z!kqSI^jK!vt9qCcuIzU1f@j<EmP2{j)Uu09gKe-CscDc*v4=7^1)d`5bXvumcDyRJ
zwH+cI9n#T-37S)H-MV$E-iO=kCEL*~UA3s%+`pdT*U^=gE>LZ4m;8ERwuj#<@4v11
z7=Dza{Rzm@j7~QM`E676mMvSR;%s)8)OK}AwyqBS_tt{~T9@<ZAVxvcg|ayDBozep
z)=Ps6`<gdeWc%}Ll>C2K(V*JAaL187@<A(APimnf>eo`PPKuY6?7yr)J<YGSxkFxk
z6FR|mGp;*Z)yw>&x8Fq<U7+|;kLRBIv#efynWS&sAla^FdE@1WdiXVi59OOOWuA%~
z=3Xq#%~^~E`h{L*JkFhRyec2(Rmt|v?Q+A#t#af13DWhT$PKryhn9D`L<g%MbX#i1
zq6i_Pu!+9b7rMu?(BT&KPWKWd^#Wk!EC2+omq3NMcqpR-rZE{RycaDGX<Lp_@5g!F
zY8kL)q+gy<OMxww>V1=hi_#%7@D8{LjbasqLNb)Ikdpv1cuE4Dj;P*sx*^XZREJ*A
z)x~0QrBF<CY~DTcg+}IG%i#39H^72i9!$B`rvaQPm1@ii2(8HDX!W87?PO}uMrIMA
zeH2^NwsC}1Ci2tiJX}TwxKswX3=eP#2e^cRAmyRIf~_ld<{89cDajB$h+2bGzLRNI
zaVRqed6txBG*06s5Ns(^?Z}*Zxf04ek9fGBZzG?3qc#5Wy9%6&BrTCxyIifL4lc-#
z0_cYMOK}$IQhyPKe5#lGF}e*^KXP0d=1cR~V1s#<w4?VSnb}IZ+x%67FB@DB&(q_v
z1s8d32`}0dn|H<q_*bDV9`#afE8<a+J6vjiEQsM=wN2ui9wBNr0!gEp<7;L%7DltN
z@%BEOjE~YO<4~sxH&-Y2YWq6fN`XY{q@~%Q{5Ggln|DrQsx6xI+M>(bv`VQV_0a{1
zmL@MAT^fxKnY}2MH0c?MCCRo$e!+}bvq{qmoNdRd9(j<p)RER!hgwIaskpXIy((u_
zTIaWjjdel=tg|~gFzfulg>?p97tXZ~XG*c9N1SuYSclz;tat5|B40=9c9-~N=9Nj=
z>Uh4p$44mrM$|LX7Zs3x!_t9D-&x!}w7>M6+oiUaK7w>WdWZ_?k)x%@>B2}4N4Na6
zmVZw{`8k6*>vDZ_(j^0x-wQWX^_QRQOY+N)lEU)aedK?skNh*y(%4^}76G3|{!8if
z*t7#-O4e9EzU_KhYrXROMcBFzM;mN-v0V>21n{Yj1uKPf_A_RmlDqF2_%8L$@x+^5
z@BYzhJ$c+L?nt?@pN>6bGj@?nuovYu0pC;Dl`h1w7<)!%4+OX5ZL=d!W4BvF1YU`J
zB5)FMgO9*mr;D+vbH&M&sq%wFV6;JXH50cWHny~ppU)R|eruC85bOmPsVnwysO^uv
zW%efI56RTAl8;k8GZ8rlnu%N`Kj`rUgDji@9CWSE(};~eYQvkyw|9Scp!(ccx;?D)
zY1J#+V}rkse%NcVXnnXhD6CK4x!LR6)TkF*@@v$DI!2?AKSB$zMph$#m4vL2rB}yQ
z5XXX_55v01V`-^OwdvtzMeMY??eI{qEO%6BzaphY-&L!qfHzE<GcfCQmUUV+Zg*vF
zzeKh{zBdF{Ey}}{m=-;}R;_0skr|0WzIC`;IT`t8P2b(H3FAQ>1~Oyj<DR#!c-4qp
z8*yfoe!>~ki~afit2>|-(ZuY*f?8EB`gmG#-t^as*i+(b_3`IT@0yTbuRf~;^(weZ
zaD7;-){4(-mEbk*`ibYybLA<w0fSD&&tQTO@n1*0+DCj^t_TyKh@V#F2Z{J-lNa%k
zpBM439oQTPm%{_`3+Pk6dtkd6ksieFb9zvS|A{^KqYyucGa+B2T%4Kt0#8MU3TMdY
zv&0$ta6X(l^%sW{XSl+ABAnU#E;tMbXQ<a<jx&*CtGBxHU#AAnY;FZ}&g*Gz8;Wr&
zNE})Zm54*PAohG5La{h#L>#J7<p+sFXk&1w4?a_Xf_D4-ck#sMOlZP+wA(FEzL4E;
z5#ifyo7(`DdheviA^osR_uvn4DeV0d_({ye-5Y-v<BfFiXEL4^Jk)JPNm9n4e(%jS
z>zSMD-0_J7#|OvR0gn&b<Q*R#jSutjY2EnExjaFY1I&6(P-;B%3F-!<>Bm<fZuRX%
zgm7>yqn(aX<p=4<Xk+X&2RzKK&_=$8{!hoQkXsJy&+*559o)OBr{$<UynjnoXitu&
z_(Xswi%{l@0DsC#{`KI`yO&j<kfh}itZ#jLQM-53OMx9Y6vm+H^9#9|^9xr4v!`Mm
z5^WU9^qI4erLa#N9($_pD=SmEKB4Dmf1gMPeZu<~K7lrQeFFKPs!#a*bA4jxWt*(e
z+$SK*;qDWWk<*?KNghEgwlH@XZVHK<HWYV4z`46Iakn3dxpg$|qQAn@_teb|{idTz
zUz6XBUyC>^N<gkWK9RLlU?!&zfdxF3L-4AYS2e86iznPj6#V{&-~9|nc?F1=Yrg;C
zH$?;#$fdpyf@~^A^)JI=WP$zoX|YIsL4yGb1p38}D{p(}gISBhzr3kLPCVg(ZQMA~
zN%Yk@7bWdG%XPNgf|!1D7l^*o38MdO0ntZZ1ksmvg7`fdJrZlQlp`k3k%;+SSv6vQ
zqcRpTee*T+Nw}v!)g_iilXZz$OPg1hjHaS3ZH;ZQM2jk?|1z*{FwMQ%+~~qY(mOk`
zGM-o(tizdLc%KtnkW8c!&0yWr3+qNmGheyFq!}|r)Kfp0uDd#-zHj1OVmK4j1qC?V
zYHKgoh8IF%{`e!#1<<ZYs#Q%&>);BEa6FhQt5mtYLT*<xbCj~{Ud;=otUnIzY2`gO
zTj?Khb-ty30;qP(ms!hYy^yrq={Bl~dgwNG4^O_IfNzSpT7GEngMTorMsElae9e=L
zHOAFT{)gu0D1PIukt()<MU=9Xy4l2vlgfSwU!W|LC)7?jsitN!euk7@D)ZY5enzAm
zVPye)KcuXK?^lkiUxA;57NgJ)^bQI+`IIW<F<K68XGAiV<Ma76^r=P<)MuJP!87BD
z3mfBJeLU6_^=2dz_}$9ai`S^!SWyK&l`&MTHK(NGp~7b;IcFy&U#l!P5waALLHl%(
zf&et?2^v4(F8FXL7?f^X|FZRG<Btxnxf%E|_JdzdM}?xCybScc55zgj(Ypr3zE*>X
z1sgz+Y0!g+xh_2dBF6j)MDOVWQ451DFC)#h=QR*9=070vCg#xZ_JVl19YSZs9AXcq
zq@0DAG8?R6n^`U6QVWvNXp2|BD1omxg1AB%`3<4Ai;mfz?<PjFPx(Kq25a0yzQVse
z@hEf*eU+|yrqK%1qs@&=;%(maXezd_MJcZRt0s^>Ny^cfMxvnXU`C>)E#;k;iZ&@Z
zXkQjlH_geL9bMcSZ)}V9DW_dD``I!4hMekAitRu~XAf!eoCKoIr~2<qb8NmBO{R#=
ze5YO6j`jP7_thb@5}ETi-}LGWuxYvMRNsjOF`NA6;&8bTM@fFnbT;CZ>SHMd=Y3gz
z`F7A2I30)kB>wbwww|1aqdSlAD)`ucAZABlbc5TO1JyNU{Qi-Cbg05W`#)6u8a`j-
G{{IIB1_6Bl

literal 0
HcmV?d00001

diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls
index 97591849fd3a702c78859172afb9d48ed1d6410a..301d3e61fc37a2fa0ad653a6c193a8899c0bdd56 100644
GIT binary patch
delta 457
zcmZp;z}#?!c>@a*XAuJf!@vLk{}*rOW!lWhSU7nvv;8EN9M*z&^=^if3t8Hk_T1Y1
zi{%(IXG0jTo8ifujLefa)|hYN?9i8}D+Fq0;9_vCNKP#%$;{6yZe<W)n7w!M0*f%#
zIA#V0|INQGWEB`+ZI+D85wg`|U~tJyQOL_LQOHOvOI1izNY2kINzBYkEmBC!2jbL{
z<c!R`bOj)plTwtL=gq)SoRgW7TAYzzK3P9oS>7Yq$IY#@sw%Ze*Tl@&z|zpv($vJz
z(8SctK(C;nWOHlwEPkmTpqsunGBCtWU|>j{$H2h5hJoSbb_NE)y_+qoPYW>iY-a80
zG-Ksp5@6`wTz_aObNyeSAG(3MoEZEV85kfuMj(#^C<fs%0eQAS9wQSQP$e^v2N7oh
zvQEQQu`>8F_ySFUsA2=kU1yMCc)-HIaEBp^!HU6y!39VoLpvrRhAorbj~Q`;Tn*I8
z(8JI(dFf+~$!m_O2ubZ{V6ZyDz_9581H-QyK=<96Y*`(!+35H=nav5cf{crvumAvG
Cl!Tc8

delta 242
zcmV<O01f|u)B}Lf1F!@F32^`b0RI2~|8lbp0<!^=!~;B$U<8r`Yz5$ZfnOt&aRi3~
z&Dpd11jYji01FRaBgxqT1Cud*H?j$cFBt!D000003IIiTV`Xr3X>V?Gg#Zu$th|$;
zI93H&0{{R`v->z5AOUN$8Ch%+vjl9K4;qUA004G@007>P008El0054w003&Y001Ps
zlhMaevj}{95CMy`gp7$cvmwKl0}<B%8US(x0077US^zo#NB~5WB*#P!iU0)w00031
siU5iL1qG9r<Rz1v$0QOfz5oDA#{dAs&j0`m*Z=@i*|X8d9v!0Q1g(Ei+yDRo