From 4b03c24ec82730035cc84c9543b9f693aeb0958f Mon Sep 17 00:00:00 2001
From: Dominik Stadler <centic@apache.org>
Date: Wed, 6 Sep 2023 09:48:21 +0000
Subject: [PATCH] Bug 66425: Avoid a NullPointerException found via oss-fuzz

We try to avoid throwing NullPointerException, but it was possible
to trigger one here with a specially crafted input-file

Should fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62074

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1912125 13f79535-47bb-0310-9956-ffa450edef68
---
 .../poi/xssf/eventusermodel/XSSFReader.java   |   4 ++++
 .../poi/xssf/usermodel/XSSFWorkbook.java      |   2 +-
 ...imized-POIXSSFFuzzer-6123461607817216.xlsx | Bin 0 -> 5327 bytes
 test-data/spreadsheet/stress.xls              | Bin 67072 -> 67072 bytes
 4 files changed, 5 insertions(+), 1 deletion(-)
 create mode 100644 test-data/spreadsheet/clusterfuzz-testcase-minimized-POIXSSFFuzzer-6123461607817216.xlsx

diff --git a/poi-ooxml/src/main/java/org/apache/poi/xssf/eventusermodel/XSSFReader.java b/poi-ooxml/src/main/java/org/apache/poi/xssf/eventusermodel/XSSFReader.java
index 55fe271c79..8bd52bb9e8 100644
--- a/poi-ooxml/src/main/java/org/apache/poi/xssf/eventusermodel/XSSFReader.java
+++ b/poi-ooxml/src/main/java/org/apache/poi/xssf/eventusermodel/XSSFReader.java
@@ -380,6 +380,10 @@ public class XSSFReader {
          */
         @Override
         public InputStream next() {
+            if (!sheetIterator.hasNext()) {
+                throw new IllegalStateException("Cannot get next from iterator");
+            }
+
             xssfSheetRef = sheetIterator.next();
 
             String sheetId = xssfSheetRef.getId();
diff --git a/poi-ooxml/src/main/java/org/apache/poi/xssf/usermodel/XSSFWorkbook.java b/poi-ooxml/src/main/java/org/apache/poi/xssf/usermodel/XSSFWorkbook.java
index c48c338e6d..e1005ee1a4 100644
--- a/poi-ooxml/src/main/java/org/apache/poi/xssf/usermodel/XSSFWorkbook.java
+++ b/poi-ooxml/src/main/java/org/apache/poi/xssf/usermodel/XSSFWorkbook.java
@@ -831,7 +831,7 @@ public class XSSFWorkbook extends POIXMLDocument implements Workbook, Date1904Su
     private XSSFName createAndStoreName(CTDefinedName ctName) {
         XSSFName name = new XSSFName(ctName, this);
         namedRanges.add(name);
-        namedRangesByName.put(ctName.getName().toLowerCase(Locale.ENGLISH), name);
+        namedRangesByName.put(ctName.getName() == null ? null : ctName.getName().toLowerCase(Locale.ENGLISH), name);
         return name;
     }
 
diff --git a/test-data/spreadsheet/clusterfuzz-testcase-minimized-POIXSSFFuzzer-6123461607817216.xlsx b/test-data/spreadsheet/clusterfuzz-testcase-minimized-POIXSSFFuzzer-6123461607817216.xlsx
new file mode 100644
index 0000000000000000000000000000000000000000..927acf2e942390417eed6502869b77688f4b88cd
GIT binary patch
literal 5327
zcmeH}X*iU98^$qqvW}eyWh-XvS+Zr{CfOon8DpO;SwqGodqjw=*`wk~*)`esEyR#%
zL8$D;(&W8W@6+=fIga=F{=D~x|9#xY|Ne4bzw^AV3#Jbu1rw1IQ4$dmoglJ<yc|m)
zCL%&o5D_sGQIc3|AiezHUVe6_L093vHsXPv9()C)B*J+_B*6dwfBwZ4=rgl6ehC4G
z$*rlJ4wbPcPJl*XBGa|!h{IKF1}*d5vvPd)@&07-cc=!EyL#&@m1p6~`%}D+^f=DE
zC>RnwIa8>?54$(7ZfLSD8<x1DgH99~C^S#HBg4l*CoZw~zJ@sddd<sJ@W8zgJ*Zfo
zQ-%wuXYj*RTHmg=Vty1{N|tzP+0V<h_%3M9!NNXC?SRooHeEc}YIlO`<V6rOld=b^
z`DGDCI2pq!7taK;m=Kvhb`i<>M#XyAb>mBoW_Ndbo{-bnulDE*ZPAYP1zfPB3VW25
z+3IXdptHoB;Dj#QS}x9v+%44iM66g1-f3-=>F~>mqpcm7FFF{a;-rapB*y98LqkRG
z!4w}-?6f)*+JDTk)R~hYl6y6*$jmc=D0n}g>nDHE06I3YUCDSQQJSQ_hE%Bvd+Z~l
zv)AMZf`8<*VMvR0UR2{}>jNZk5ZD^eJ=QYk+N40=oNs8<-zZm*Jx*D{yn1ip+6jF3
zN8iS?Z*6<juU+@X$xKUgr$^EQ20S<b5yAeJ;u<rEz!q?00ECnVNU@y{+{0Hw{O~+X
zul)bh`!CMz59#rD28~)Fv>hutjT#^Jm%MZ+^NSh`bQ(^W9)BVDg|{Z*fuJgW8x2C~
zIbw&m7Y0?V-+Y;OHRa`YkT7bk7gnp1atN7l3#`mFr_XcXN4SDJITN|<EoR<$*aa4*
zW;smkmsZEcan`4P6>yN|F$UADeex+vhFs{ecNtFMD1}d_&M8N=9EY7z8pF6zQiM>H
zpW9Q~t$r?ThzyjN4|Pa4idW5HR_yhk({QFK8^o4os`u(fvTWQRW$fPPcLe2}n!0Sf
zdGJi$n_oX>NC&r}G#l%yy1X1Ap6gP!(=?#;t_1zo&}qjW(@t+{cVtS`uL?aT0%qMS
z5D^h45hZb;hs2Md1R#Cf9gs-(!)f>5&=3P75BT@r{WPZZy0t<WH1RjTMP`I5KTC-+
z;YVDgo=n>Wp_RfIteH5s-nKlxYF!e6^D>Y{-BZIK*RsIQAZB9%)~BrmPUxF3I6XaM
zeNjJ9S!q`J1}@K_Ou=2}r7CU1yKU!v^=#@jCb>#SMl)J{7xk;Rqbs<UScJxtV^Vtd
zY;Ribab}NbTQkqQ)~g*@fMTT#t0YeDgw~OGvtRc6W`{L5d$`!W^gPF)_DTfrIB(qv
z>I<g3nJ9EwyS$OPt{{0MZHgVosoco!N3<#Z7>_jcTZkVNG0GJ>;k%93pSqP{t5A3Q
zWa7dn>T!KZgDNF&gUZ~(N8xNJM0nK>&_{povfg`7!H)q?Fa!QM?8AV6{_31~6O0KK
z!q6l&8V+mc_#kgI<>Vj*ha`b$FJ6{ZzJ{(zl<B&oZE|%d#9TJN_;T<afBfR-=I2(~
zpSd)1Fbb}IdO{_PC-d|L3f~lOT6hPoXEQC-v0mmlCK5`lJy<QF{czxQiMC@7C6i0~
z$ke`ncZQg|ORb{J8J7yv4%ul(m*;&othHBVZXm&N4_pQ~#btQd)3(Fq4a~Zk#0~1)
zRre#>Q16a+2Gn@)^qb!`U4;nqH+mw2B7Ij_PR1(c(k!YK`bFh0;xt}<ncB!UwX`vK
zAOfFk=u*@lVrDOmwW{yW3f3bvy<T!XqMF`jxKlpneb5z3R%M-!({|MicL-W;_VuY9
zR94@7qE9i>jc*ktfSa|-HJKPRzHokcww)30Ohpp3I41@E3N0ekdc3N{b2MxVU1*|O
z&f>K=`$ekaN`mA<>g%GmIGZ@#jBVyX1@&;Q{P*F*yZtt6`-6mQIcyJvc7on;Z8C?s
zCB+ZLF)C0Uv!vH%bg6#DhdSVWAZM=`W;gU{2NAY=tzGL%A-m?z(+}mey=?;Q5MAeu
zT8ja?gR>!IN3j*`)D%kr*bV^X*?+P1b%DeEd?miWqz~Ie{2fCi7D5}f0@~&!opC=q
zscj)(1U)UBMhuDyoq@+ZyQxzk1U1}P(H6T3%S(TwlND^+EGUOJ#>8psOxk<Qm6sRY
za2cwXf4V-nax2T&#A#&M?KY!TP}J#_=g3(PqYSzrQa%hi!}=_fVS>qIJcHk(tEjH<
zU;{Pg5?5G|UY=(VxY252OPl3s+`78Uh&%gh{J;ykeyD08jbOw?8)0GCFesmFgY)vx
z;??_Jv{5mP*&B%iWTKjo{;=o_zlBNs=u(p`O@pAsD&`)VBcz<YL_DE+^Loh_aLO~T
z<<}S`|KvR6+`?T`tRcsM9Yx94)2xLJb~p@!<(p*i#wW$L*2}dE#xn1HL^8aml0wiD
zxKOc{P}~+ljD)-TM!l%gZMK?Q)s?)umLIo<M~#(2$>ieOs+X72?AwDK2Nk=b*j`MH
z?M>|%r8p<((y!W-VA@YBZ5DkrkM$!SW9dYXe)T)$uY<Pl)@o+J>6bnXFxiZLD%e+}
zo4X^f>BgO96k@Ga{3yMa0A%p@kfJG6W#R#l&A&j(0qy;-ASI6ixj0TQU^IM2IJ5Oe
z{zrd=;1nx=OirP6e+zHr3(W}IU?!><`mN><OJBwm*HF+))RmV_YryQ%99(<m--5zw
zYm@oml;qrG9&=PFjn?6WY6X+&5@IOLDfFwJ6AM)rL>Gyb3uCotua92XOgfv;q~~}Z
zQq-kbQ?V>IhanF-CA}s^yQJ{YTVoFg{U9Y+5ZQNN9LY0ku(2m4PwyShE+M^}%&55R
zagL=FY%7O72SaB&&ODAo<{|ub&*7TJl9{g6IowwW-+VA{eeGe!Q(KN+>Qh+FwnumI
zG-cxt9R}>;Iyc2xQzjG(2!2&El@)bL`5MY)tS>rgzMWsN+I8%Hzh`lSTN2j9INK>j
z$TwIB0Fx`q*M2?Usr{6Y6vUD?wiUptwCL668maro+vx_;Y1E7=`4_1A?H0amS;4nY
z#BM(-iblX}yzjf-*Ase|=yOU10YZ|le^_2JiA@w9r1CXH3#{ZvC%}ij-D5SEJU7M<
z08YOXWO-b!)C5FO47e5eEs8%T_II4nKj$_2c0ct?2m^WrwZgFNH4@B_Tx@%ORdkCu
z&1pZ<lc{>G1c?+!p>Upvbb@p7luF5kX_0kYc9aP#Ul#|GV#2jnx^s+`RLGB2dqt<!
zfObE)u5>`!p~rZdK0>otetf6|?5|g~=&GJ}E~z(typ!r;TGd73eilWO<$~9xJKZ<-
z;zW$hHIycq&P(0;^fmW0)*s@xIxm~7uW~vyVW+EKlF3n9H!^jFr{$K(d{^F*UZ`2c
z(MyUl`BSHVr2e~$zi%slS8oymsBenKnJs}%cW+Z*1)bi{Vzc7%_yVz$@RoaJnVm{8
zT$;z5MxUgSQTlXXhqpKfKHJxjVW_g(yA?-P1*3{>#mkuuGuD~u9j_#dB+Af=+{`xd
zAkR!LqW`d7wBg;63jbuL>Wj%Sy#(fBQQ?4vL)(YlqO}{yhtFyFe;eGkk>i{S@y+fo
z;$`j8YFu#Uh^Z<mRO`Vf&T5GGI>D|LHH(f*0Azn>&*_*v_m9+nZ^nPBCxOx)vWNLR
zw_!Q&)Nsgt8HASIk8JRCU7E#Wdja-mQj(C)Jp^Cwwrqa<8&}I764JBpJy)!brSH|g
zM&Zx{?{GY>fsC!qnS(u2#{l&Kq2JZ}eOIr*`9uAhcUvml15n?d_NrW1Ry0g9Z_gn%
zWsJetpQ<42<{|s6V!1>1cmBd&A7DS4SYm$$P;XY&ENYHCQazV`!Spb2BMtPfpU!vk
zu@7+dLiqmNRDXW{a(-iSuNw$T3v6g#BZtq8_mS#}tT{3N*w8B1<T+HH%#3^uJ$7?M
zRWIO@-n*O-RqRZOT^q&1I|tZMFC8fbPXdiO2D=6)kQSIyN2Re_Vs6rW>KJR?zROmA
z#?(1I)+H4N?yD(Av=tz>O`Qz5r{J-Z7d;)HW$5H~OVZikqj%*%9b(1u>}0!FWcd=)
zUu7O3I$eD-@fTV`=(e=T6lUwWlB(y*RrNMKxI<Uu)>BX8JQLn}acYd>RFwA`f;Lr-
z2W~B|(H!N69uMBAW}qU1zk0#Z75Qr#dSgkTz|M*~U~og0vm~o2eAXg;9=SoRX_7r)
zu%O1Ic@Re8rN!WU3GXwQzt=i5_^zX_mK|IHr$9v}c91>9E&Eu7-VnZv%0EkPzKSEc
zWncGEC8&5x3+_`Etwp7YF?F93U{$Uv;dgvDlnHe<uF0Ns;3sILd5>OG><j0BG(y@Z
zg}V@ckb4IeI)BUM=^S=Frxm)zy~G7nWBQoRq>mZj$za*UoL%!UAsYG3optQ$k@8`p
zT1`EG{EGi2U+T|R*qCJK4#<yMQ9sbg2$5Q5jg7t}QG}~`%?lCyWAfvCq@W%Fe{8FO
zZ*$(;IWQM*FN@_>iIY0?!;@4VN;(BjwhGh=VPTp2d>NRwANmAE!}gj^BCelp(A2ur
zK%8Y*IA1u!&CtEAK<K9*;(z*qw_9@C2A{Z_M%>DC@l!miQA#<QaI$9pVA7jAd;WH*
zagIhPEMnmK7xF@nI?*I1WiIUrLY9&s&5otxu5?1P>uN5=8$#gDkqa6<2}`IwPzL{B
KbNz7n_Wcj<i4HIT

literal 0
HcmV?d00001

diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls
index 5af5cc74d01a2758b359c3c191c20dd27d781a8e..fd160eeb72089b9d6b6383aae54de8902d5d6607 100644
GIT binary patch
delta 775
zcmZXRPiPZS5XQf^-Tcost&K&6v<Vtep^{BQR;a>CF@k~wg3@b*sDU)0+pWZ2T7oD_
z(Ub=j^b(=Dcv4s57KDNqg?cQsy`|EF=t->?G2rYbCW4oJ^UeI`d$VsAm&C;-@kK#&
z)~5TP)|*@t?+Ukm8o$K%eeU?}C-vqI>*LFJlvkcnfiWKTh5q{n`9q(_&RUTx0x$<V
z2Mu{-QGkpXJ^*l|%IKgf-}H?WU-b|35x=h!sdiM84tW!JD-b3SXh}~`R{fDS?FR<i
zb{19j2l;2eWS4^6D_IeB@|a|eWnGh&I@eHR;@`$$N}TB>YEtAVbFoQ#@I0>BKOy5J
zZqn$<9=9irbqDcw(?+8I;t96O7nFm-m2JMFTy;!{z?|_-35D5rBQRAt!Y=bKxtKbY
z$)r+q^Yb}vEGfsw6G=H4Q%=iDTuz=U7iP;LU@}`Qmh|wAoE|Rb%6j;^R+<jy^_-T~
zOPaB)y$g)2(KC(S2kt!v9@PQG0EX6q^^d^IEn}v#F~HW0vpjnKuv-|w8^T?P+FMXr
z09MX4GTVdhg%-SaS;Z`s+loP@$NH-TQbVMe;3Tq-RGShh+UQaaT!KyxZOYl9Ose;s
zO<2zEPLD~8R(sZF*V=?-o$6wi^#xLvwF%35i&pa73p81p%g-Xb+Vt|3=7g_76me*v
l!CS54T--f&U~>o9{{$4i0<V7nzxVk}C2c&|jfPg4^ACq;v2*|c

delta 502
zcmZWkO(;ZB7(MrTn3?yUL1PllFfoNv#!TMEf@DK!EXdZ+g0dnj3xAO!O?}07^0QJy
zbJbYL!U7A)g2BRKCJV9hvm$ZdqZ#Ec?mgf6&bi<Drk9oJWo36%$-CI=8R|^Zn6kkA
zZ{l4!$+3N24R$7PSq`yzBW|zYj8moR`FFc$MYUV3iSm5_&t<I`!wC8@iU1mL3c!X4
zlaK7ur5cp_h~_4*rv9Q93q|!(M+gVplu4mk+OuUu^Zlqbpy=m2Qx(x%^q}ch%S8^|
zMAAtOx*5wH6V`vnNMq=)(JhJQED_axRXm@yS;0pzU@Z|q9foD}rmXH>ug?T=WM~m8
z=%{5unlehba!sp7Z*D*V#>KPYsbn+4**9Az`1q02n~?j(76JDf;N1d_<G}hM&~*k3
zC21)g7L9Y0g)AXr<Zl-rH{7OPqY>wJV4sC4y5pm}l!Km9hAOS{FvJn3uCE&ENmm!o
c-2fXYp!^XSd;zv!#Zr30BMRrc*(S^T25B*TU;qFB