From 5d073e35864033aea6fc3e2afeed3fad9da033a7 Mon Sep 17 00:00:00 2001 From: Dominik Stadler Date: Wed, 6 Sep 2023 14:48:58 +0000 Subject: [PATCH] Bug 66425: Avoid a NullPointerException found via oss-fuzz We try to avoid throwing NullPointerException, but it was possible to trigger one here with a specially crafted input-file git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1912139 13f79535-47bb-0310-9956-ffa450edef68 --- .../org/apache/poi/ooxml/POIXMLRelation.java | 3 +++ ...imized-POIXSSFFuzzer-6448258963341312.xlsx | Bin 0 -> 6874 bytes test-data/spreadsheet/stress.xls | Bin 67584 -> 68096 bytes 3 files changed, 3 insertions(+) create mode 100644 test-data/spreadsheet/clusterfuzz-testcase-minimized-POIXSSFFuzzer-6448258963341312.xlsx diff --git a/poi-ooxml/src/main/java/org/apache/poi/ooxml/POIXMLRelation.java b/poi-ooxml/src/main/java/org/apache/poi/ooxml/POIXMLRelation.java index 5bf576d4e0..e4f6e08ef7 100644 --- a/poi-ooxml/src/main/java/org/apache/poi/ooxml/POIXMLRelation.java +++ b/poi-ooxml/src/main/java/org/apache/poi/ooxml/POIXMLRelation.java @@ -205,6 +205,9 @@ public abstract class POIXMLRelation { PackageRelationship rel = it.next(); PackagePartName relName = PackagingURIHelper.createPartName(rel.getTargetURI()); PackagePart part = corePart.getPackage().getPart(relName); + if (part == null) { + throw new IllegalArgumentException("Could not read part " + relName + " from " + corePart); + } return part.getInputStream(); } LOGGER.atWarn().log("No part {} found", getDefaultFileName()); diff --git a/test-data/spreadsheet/clusterfuzz-testcase-minimized-POIXSSFFuzzer-6448258963341312.xlsx b/test-data/spreadsheet/clusterfuzz-testcase-minimized-POIXSSFFuzzer-6448258963341312.xlsx new file mode 100644 index 0000000000000000000000000000000000000000..0707db6706bbfeaed018f10ed1089fa984fdfabb GIT binary patch literal 6874 zcmeHMbyQT{+8;Wko1r@-Mq24cI;3mp7+_!qNktkYB&8)K1f;tpq$H$M1Vu`RF6nR3 z_pbNe@4CMK@A~duYwxr7dd{=Y`R(<4>Ktt~G;}fmCIA}%05Abk*S~7kp#T7?SO5Si zUcW^mh{Bl*Kt^2IL zSG2+TRax@%{US1xgy4afifR1r>2uc?Ja(qOj425!lsc$g>GSi(&H?q+MLyw?3#}Qi z3kPBHlY-5%% zFxw@t-^qAR6qCZ70J}y^Va-g4#-`-9J*j!G{}?PSh%2oc=>!2N>sduIk~IJZGn}#f zz#TzK66udVxeWxp+9Jjacw5(=PW}q#vV1 zQ{FYy6HljmTRyg<{Uc#zAO#lMX4=Q0tXN&-k!#=;DE}$B;bIdF_F;YVE0eN95I35v zoI3EFp5cx7#phlE-$t{TnLViwlGpKALQVetdwT-LgqnLN=O@Q;8&?)rx>UYPx|$p( z@A@Ubpy^)AUa2Kmi=RC{p|}Wr;b!p}6ZSp4jRcQtt629O+Y&nXrD3F4I$iPe6%Hjo zl596OXaMbhvDj~CYGvGCaBwE z8j=$@8hHXE-H8!Y4K%q#CShxz_R(y{m-x!$soCdGv0x+yvU z00dy8__*-@rn@&32C;@hA-D1AFY2S;QXhHmZM#9X-?RU3V|nt3W+;d(?3BGjezKiR zTiK>)Sk6Ykl#U^ni&7QSWWxXI%eHGImo>ZC9TC=3p{&ETu_3S1>3Rg3gvh9BHXD}% zxc)AUsoJ%dPe;oJ-ots_`qAKTXpGC`sg#S9j^tsfV?vTOE7m$N`6+4apaq#?kcZ@) zyYBsEF5H4j#mXa{X~qMgCG4BU5K2L<27b2Fi-U~Xp0S8;H|^&7!ocjTfZfiC=h*vO zm&Eu0481i7<6uFkwZveO%y6$$TC1>Co%3;lPV6giejR#3C9YL+vGmK$k}JS0 zukS1GJtirHgGC_S;7ybdh6h&E?x-1qY9pU2aOLG`y!bzx(ry&~%oJYbauHJBTIK9> zXrr}0QRD1DQsdv9sc)LH+!Rvchz0-U>Ci`8e zB$^rfTxC?Kz6LwmEa)}&+HP%fhJhQuB0uwKQ2P8AXSifq_!VG7cp}CF4kA&I;We*a2nFmKFWZt5y6ocT*)RDufjIE^ex%{^6ZfFF>>B$Y6zX|>=9 zCs^l$JjV?ZEjV3ju(>7?V>l^iJB)dWrDxUdhuiQp8mH(D0c z-*uZeXCXWqE+Brdh`Z{Y%x&>3@hirk2r%G3^X3v00EnWy&3}Ipz|+yr)sFwyc<TLmEc*;f{!kkZO`!7Q(z$9H$4RAX)2US-$rDY%*4hkej(z-kWmZ-NS+n>i z4;h(4gRi;)8oAg}Q|~&(1zUf-^7$mj6d1TZ=I4-edI7ONIgedU%adnjU3J%ytTU=lFr)3>quBCT7}xs8BFYLRajF_j2F1WgQ^Vi~%JyDjsAbNk?kOp~pQ2qL zG4H>$^Q7)t0nZPR6$CKVExehobfvt+4}4>6*1F_YUxp!#)@g;EVq*S50`ltES#ZM` zbv~!I&GhB8>PTAT!Y|-pGa{)!PK*92)c1ajrQ<^%bFL3Aw}$wou8%W0=zpekUJ0}*+c1yQ!9q`b@fxW6n=+C*#26I$yQlIx ziT6&b+{y+}KBt4%dxW3=XuCkoh#>TVUyhB}(>$-vryp$0pF`P!jb@nn(7CG(ar-uj zYAOYMu{P`5wt2FdwAB5abm2rStRkJGaP`7KfmZmGN|TH}A(Zp=@;;iJ#EfL_)cy}X ze2mm5C1Yq&8EJmz69rE>5{eYWg~FTEpNPnp&@CfAD{G8CF@Pq?Q{rF*r7NG&TfLxx zey#4VjFMet%=QG^Gq;a~7&zUR~B z^jlf=rGZ;0xgCZWgsx6SY)`Oq+bkzx#phFPd#r`*!W!j{1mB}@zQdjTZJbQS zM}q9er>CyV_}7O|y)Ah87hH?+Df}uwOUym3o@eWaiw??vFf!DjYUUl0GVZRT@&xNl zrlT=)5okD}OV_UNtSF(<09l*P14~P2zL1^FP0I*U55^p;zRv=`9>#dTmSOJSxD_e4Uq2wTgmTQJwF2ZI8=gf$BJQh>A zn-?fvO^2y}g9K6vAn-nFnA1UYTY?WenM2`(N z!P%H^Xgi&r+2yhjbt{&4s?0)IR^$|ETeN}WRV?70 z%+DzEsEu#-fLVmIUF*+e365_X)_Dl^X51b1E<8ig!#whtWe4c%*pi+)fXeI(`fF^d zS(0?v9@{xj?CY9q;ecHN&=hWhUk2|6-G=pjqaw!$R4SMIl zY8_1-^PoO;>@4%*o%Xok6;C_UM+e(^qATkbwbC{HFL>|#BuO93l2cH378*muXJUGX z%9>$By~fd2)pH+TyE}v&NrP@mu+y&^aXcqCMV>Oq|(tbd`;IR^5ckFiN&}^ zD?F0m#o?jy7aUW$6NplWqKKnL5$Rh-vwb?CSvOwg!|ghr$kdPQe4H`1j`JAR&FqKw z0-?snt24^tor~;{w==yj{iE2P_1WFw-1SaB{Z?Btgpl2j4QdG-n%d7aPw~ag63z74 z6V?TbWq4}bgyq=?F1<#qGay6Zzh_GX3P;OrNC_JWi+u(*zj;bsTvB+rNro(tP)3viYp#x zaO}VCET{#-(t{WwX5tGLJ#U*4FBrx0T|HnaLOk!aUoL8R6yn%C_-b{;L(*Fl&ZP8A zH)=#iu*Ngn1@?f_KE?^J{lIZ&E@{DGUN%e%GucvIrx7T(w9c5(Tm0?DW%hAFUaeqU zy2~YT-f$ojJ7aiuJ|@>Jer4j&5l=~tw&mIf(LaJGuPl{lM@sG@!L$AbZ{uhM^MpIv z*?Im0|F6aWiQYnCkNX%U#r7h^m853B7z*VJ4qkC}NWHQzT97W*`NVaw@+w@Hf^mQv ziZ$!hB-B4mfzIJcp}ecoqmFms*IY6xWc@+w6Jd~Ik=V>wF`1WY^_G)did6hi>P$b5 zUP`qd$_Tl*?vMPrlAnWt=h0l62J#Z~BnpBNh|8SqMK6%&-nvMFnlw*x?9YJ_0TLVK zhat(kbnhZ`*9UUHt3K5)xBMgg)sZg<#1FsH{K<+8W=wK# zYYr`B%|Z41ByVeuzj*ZPB5<2`#^`B47eRRKgmce`Jag7wZyKOCMCU11q3}{53MB6e z(A}w5khiuzU5-o4v@+$FRLN&O*pf^vt#A;HBn@>OpM~is>jsL>nLI05tISy>G}Kj? z=$JQI<`P!8g2Mk=S#IS`D&QurtOYU;xR?C7s{@?!Ry{;US^BiU*M>ZLq$&GN4g!|z!YwW|1%_k%5` zmyJn5*2-bB#VHf;Au5d8pii=fH=gmUQ`fWM&~Qg?QK*+U;a7Uol#e$nnGtl+qbI9` z1raVq*Wk}XS@UJmmU(CRe_}#B1YcbnB|Z=w^z~~2nQd%rqUb#IbbVj&P>!eNMJ_K+I2$KGrM9xF2{jNw9ZhkXcj=D4 zu8RWZmRRtz2M41DDqP^k+yx9|cWpYSo}Z(@-vB_RS**G)x3Wk7kU54i_z~O(^N|DA z-$WJ}pplXRSQib!W+*Zz=G$#ila))1u(94pswNqkg8u`vnX&U9Pp!P zDCxG!7$`^vtc)6n(MNuJJX1;`N=deWUQ^&PT~yep$_P6(m?6-oQ(9{-AXts|cvi;d zaBsn8^{{rFm3r)qD6wQ*@7}(;2>8KI>?z>Frq%JKlD{KG1I} z!YPvXkR-rrY4wUMI*`E?`XR6))J*$8Bke$DvVDLwHk(atnGLb%kuibFHCBEHg$mBY zfBCMXhi)nXTZkSCXW6*i8|QY#YTjC40(!{gAHEH;H^*KnG`mMf}Zi1$-Rt@Is`z1^e&*rUq!8rm5YtMqm`4}t!L3z zLqX*Q{QVP1)ZmP|1X%=EAsssfQs?jXpceqJh1zJtpzd&FN&MK=+Re(zh0oj7{(tW= zyC%-9kMwE~D-&`7T$r?_IXYRM^nxqU!a9qVFX(3{D? zV78or;ocSohFu337}Cx$Fx1`N%-eEWfN|gEn^QVnB{`S`81?{_vookN0x1RuMt%m6 z*xt>-w=Q$m|7G9;OFJ;s0Hq;3Mg|9lDmae`$OAf(fsu&~sFE4TgQ#KwvfO~;5FRUo zH$yp44@4CkRMlRPg>aMiGJs6xfa=-H05sVSZuDNb(R&#{M(eEdSoEBi*vpIBXr|V|6+ebLLuQS*%eBowbkYNg#9Jp9#XG_55P0#!oH@%9H Z=KKrv6v$)$HVeLZ&p5GwV;LJG3jjc#Y$E^w