From 66109187d12b72696ea02101cec765d77d9bbdc9 Mon Sep 17 00:00:00 2001
From: Dominik Stadler <dominik.stadler@gmx.at>
Date: Sun, 18 Jan 2026 16:49:58 +0100
Subject: [PATCH] Only allocate the required size for EscherComplexProperty

Otherwise a malformed document can cause OOM by reserving
large chunks of memory, but only using little of it.

This fixes https://issues.oss-fuzz.com/issues/476184826
---
 .../apache/poi/ddf/EscherComplexProperty.java |  18 +++++++++++-------
 ...nimized-POIHPBFFuzzer-6325615354773504.pub | Bin 0 -> 2042 bytes
 test-data/spreadsheet/stress.xls              | Bin 76800 -> 76800 bytes
 3 files changed, 11 insertions(+), 7 deletions(-)
 create mode 100644 test-data/publisher/clusterfuzz-testcase-minimized-POIHPBFFuzzer-6325615354773504.pub

diff --git a/poi/src/main/java/org/apache/poi/ddf/EscherComplexProperty.java b/poi/src/main/java/org/apache/poi/ddf/EscherComplexProperty.java
index 356cd4a8c4..680ee9a5ae 100644
--- a/poi/src/main/java/org/apache/poi/ddf/EscherComplexProperty.java
+++ b/poi/src/main/java/org/apache/poi/ddf/EscherComplexProperty.java
@@ -67,9 +67,9 @@ public class EscherComplexProperty extends EscherProperty {
         this.complexSize = complexSize;
     }
 
-    private void ensureComplexData() {
+    private void ensureComplexData(int size) {
         if (this.complexData == null) {
-            complexData = IOUtils.safelyAllocate(complexSize, MAX_RECORD_LENGTH);
+            complexData = IOUtils.safelyAllocate(size, MAX_RECORD_LENGTH);
         }
     }
 
@@ -131,7 +131,9 @@ public class EscherComplexProperty extends EscherProperty {
      * @return the complex bytes
      */
     public byte[] getComplexData() {
-        ensureComplexData();
+        // we need to allocate here as sometimes the array is written to
+        ensureComplexData(complexSize);
+
         return complexData;
     }
 
@@ -147,8 +149,8 @@ public class EscherComplexProperty extends EscherProperty {
         if (complexData == null) {
             return 0;
         } else {
-            ensureComplexData();
-            int copySize = Math.max(0, Math.min(this.complexData.length, complexData.length - offset));
+            int copySize = Math.max(0, Math.min(complexSize, complexData.length - offset));
+            ensureComplexData(copySize);
             System.arraycopy(complexData, offset, this.complexData, 0, copySize);
             return copySize;
         }
@@ -165,6 +167,8 @@ public class EscherComplexProperty extends EscherProperty {
 
         // no need to copy if data was not initialized yet
         if (complexData == null) {
+            complexSize = newSize;
+
             return;
         }
 
@@ -218,13 +222,13 @@ public class EscherComplexProperty extends EscherProperty {
 
     @Override
     public int hashCode() {
-        ensureComplexData();
+        ensureComplexData(complexSize);
         return Arrays.deepHashCode(new Object[]{complexData, getId()});
     }
 
     @Override
     public Map<String, Supplier<?>> getGenericProperties() {
-        ensureComplexData();
+        ensureComplexData(complexSize);
         return GenericRecordUtil.getGenericProperties(
             "base", super::getGenericProperties,
             "data", this::getComplexData
diff --git a/test-data/publisher/clusterfuzz-testcase-minimized-POIHPBFFuzzer-6325615354773504.pub b/test-data/publisher/clusterfuzz-testcase-minimized-POIHPBFFuzzer-6325615354773504.pub
new file mode 100644
index 0000000000000000000000000000000000000000..99c698207fa7edc05e2bfc72470a06acc81137ce
GIT binary patch
literal 2042
zcmb7FJ#1T56#njW9h)X<V}tmKIv7LMP^i*IumlmOG7e1(LB<F%)KWxnn@~57+L%-k
zQo_=Kp-2ocRV1vPB49)6z*Gs^bYv)Xq%L%cSsKSl-r+m<y=OmLFmRH0@A<j+o^#Ln
z&h^H<L~U(-V6(R=B%oZm_{L`vb4HOxQ=S5PwvL08G64VW2P~_q5y;|lqhMc^!~8^I
zIG-z?SD6-+BvD&m6M3jEwzfoi)k329nt+N?wdhh{Ul{|5T2*VH#aO{EvReajcf{A}
z^dPR|UlH`_jO=;^bNCb`=Nl~Gs;XR9M}T*;QRa%4tgdtT4oJdblpC6)9|tyFiRy|7
z27z?vT1v0@KIs*g5IKoF`bcBWX!Qabx=mv{(na0Jyyq#-a_WOI2RZ9SBcXLinF}|v
zLQO(rTbyD6|8`}5ks6~#nK=x^qlmBAWZ3;SS@P(KH@C)Nm#o7rN-5Sc6BW2O%bBUu
zMq|b{{(w95z3kq>fmj__8j~SoT#3jjTC=I_naOh#ljl-TQ)=urWbd)ydElK0GnFcr
z<}SWDlREm~7JfnH0GH&kq{yIC3IUodtI`-G31%G7wE)jx`W@rIsa@fgGXL7tudMTO
zTcI44-sOm@fJWuQp7KnMqUyHtVIune!`_q~FVM3-@H?G(QojeaOIa0Jr#wAr#FPfF
z`8e^xFP-3L5MG#mIVoGHu^(B^Z9>(Ry-+y`UM|u6C>)e$Qj+zDYu8PN3Q~?=%yPgF
zB+YY=)OXT{>Ua)vV`mz@^~_7n<GC--Z1Lz8<x$0~COBW6{i0l`e&SmaI7yDDh|O#C
z=hhC7d6q@8ad6P0nWO{bT=R^l8*)sR8BsidnCgG>jO{VG%zl?1>0^Oj)GK+kX<O9e
z&Af%ifNxR^1%2z(zG8I2rI~ZC;UW9~+N0W3B%;Ljr~=Zzx2orK=%TSMIV84wG-h+4
zMX@B!{V*&yCK|85m44TxdWJ^E)4yqlwy5pDz(|6u)2z=^n@qngIeW_L^1puls9e@-
zB-!y6(L``?@Xc@UCvLC|cIjR4F%Ufd^Pt8!KGNxbCC5i`8Z#*2O52;|p6s?1Q*20X
zmI7V~o^G{eZ~}+uUyG~G*se<QIfo_7a`>2Ex-mRH@w=HHe}D4BRB-<jc175Kflu`1
zV4u#%!a|!bkUipy&%iMak!|-bTb0cOtXfL|BG|0(t?IWWy0cBI#R|b1!w3E;K_!VK
z+~!4XB|{+dUfV_6p8DEua-DkkpRetyVsWZiyrs{Z_hu*z^#^K!`Pb3@K=Is=Yo?iH
ywxqFl(V+hWrPUE!UzLw$ug+H9u1r@im*y5$5HC`{aj%wGT~B&%iXZf=hyMX6{W!b;

literal 0
HcmV?d00001

diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls
index a03baec0813e4b2f5fb87c33305666dad0360a45..e34a6c478ca752cd9b695543bcf39bbfc92e0865 100644
GIT binary patch
delta 2911
zcmZ9OdraF^6vyu^Z7HR+r4PVD#}9<D37fnMD{QO?jLrcA2aXMfFrGC)m&ptoO^9)c
zS(wf=@h(QmqKW^Q7$a(pA@hZE!>OA(MV#-ch#Ro^+;r%<w}+AYgTUc_f1mp~=l=Sm
zFfy$jnbyAek}0XFkHCkKR1J4_?;8pP2k$vZtYl&-G-VpqJrhmHn(>yna-T*~#>Z+G
zTp{;{l8T~&d{0rHr@&KKTwLJEEnL6vz}_4}wgmdSmB8S=9sPkWWu4N~0qZVhD5&%V
z2D_B5VCR8>?!h4izV_cYez@;tt!^W!CnQup(2$-^4v{wKW`bd!%p}CWijdASLM|l`
z65LJ5IotTeKr@Y>YjE;;$%8;r_%w$ygQ?|nF)OK-XvtjW%34QsWNsKVxJys;#GJfx
z9hy?}_`%>~M?&>8TH5!Djt<c0G*rX(Q~Kx=T6(17I^3T=N{ExZ0pBAl3af5VMphbF
z&D>aNVYTkYN=FjNo8iM+x}KT?upj!70Odcir8Jrvp4HK6IGAx|Bpn|q?2D$)YAkPI
zN4_hOyv?q}(6#g(mSUvYbdvdbd6y0Ga)KS><vn&9iuWY$(~EsYIE|iYz;X(%9fvdN
zNfdFxr&gQ-ZUkJLV!5$2nVw=bP`vM>#UNP>lEoldVua;1I~K7_aLWg1F-jJrWHCyX
zSYi2)SxsV=94Ow8(86E%M6!G$lVmYTmN;QK!$u;Or?}-TTFjEgELqHw#Ud;pv&D$T
z6bF`1&|;M=R>@+OEb+qfDQk!AaCaZzmUC#aNfw)Au}K!YuzbeOL@XD1`J5Tdw3tpa
zpBY~MFIYb>GwdiYU$RMF&a*{czG5jBAirjfynMq(Ef9XoUgPCEc7d1g!&WPOUPFIi
z6E;|0V6(jZ$Q*Xq@e`}z<!AOVFSBgI4%dERv%JhPhXcy5%*V?`*3Zi&b`(nKJf1UK
zoO1zI$KlsE8_vm}zUAi+-a+7XT|_n~!m=d?b<@i%#R<AA%n!x#8zQ$N@{p6Rwfv4@
zE{3l=sk`?N4D+PMd8)?wqVb=|=1Xk8iY*ZAU&t0<v$6#0w)~A@A%=HD*n1U2k7V_z
zto&h4B-fBFlGq{@TP)arkS)e$^L&DTG2DQmD-kBRj-gkwdR5jEVO>JDL}E)+Y^h-X
zL$(x~jX^UDkm9{$BZgCa0*c`#$+}5pg*SV+2O4C{B(_Y&ZWe45vYR7pxGsr4t+8k^
z_2CHDTrigo!*U2S$O2oP43CT+!`qN-gRnOm!-_}<hvd&{g=&CGF@OQtN{Ovhu~mYN
zLADB;%_qZHMhv%L=t_ax6^miDWUW?N{laQO)-SPs6}wfiama4PW@FIIV#e@x45#=6
z77VvZ)@>?ljj&pgt&!Lo6<aIVcw}p_S)Cguuwht-;r$Ty+A-WNS+}dK@XrH0G7e<x
zCAMD0HVD><Yy&o1;u9obcn5~Jtbz#=G29_pcc`q5!kUC^qr^6<*e1c=glrQwdjXnR
zTo~So;S8T38N;2Db*IYOEUYQWHcM=?irpnxH?q61Sz9VhunNQ77#@PKHx<Jc$=af_
zwhF6)Y^%h!s@Oe(O+$7MHZv<QK{|$Q7?$wxW(@Dbut%W-r5PBuORd^ftvW=jOk_Kj
zTcv?@HHLeaTk$Xp!_G(;?n$F3=&Kpj8)bq&5I(RGW%R6_HDpmcYtEu3!^zpo$;Tf#
WPeW;1M|dQQ4pVwLe02?tj`|-F#{;7P

delta 2789
zcmZ9OYfzL`7{||9cDd{>yu0plkp;O3p@35Yfm}o|F)$%eAy6SunjIVzX7U5mOcP&f
z#)ctgnBiD6VpCIJYMLghZ5l_d43o^ttVpQHw5Sltu9`^CIs66A%YJy~{qOJm{?EI-
zT)IcC-J{mm-*Co^`5ArLSy|WKM>-F-bsTu~N#<gcv;8B^9@~)+#_k&06<%6mxt=gI
zSa~gW$lms*wf{`J(SLsb#`JV{h&2)8B*mIk#>V0qyR@FM_9(`lZD4H9&DaxEa3x_V
z_dq>&Pt`=qHugB3;Pi6$AMHpeoeEn_t<1`%QWvjn%*Lj=NQYCwESR}{i|<o8cMr{V
zJk$5q3%rRBSb6Wu7H$!}R^AtAwebw@Xyx)SXRW+7@LVu&qc!Y{0-F>ByrKL>i*bU;
zS^6v_9nDUPVLM;V-xD)-(!4L?95g-<<#L=72j%!sJTJ$vIP2iP{L^&&I2{jWK`fSD
zRwbhiN%j%cAxfP~nJfxn7JBcrNOW=^KO>50ELcJ{OPI2Zz!Iie!eHr>mXF1&OD%TI
z;!u{eusAe}W8N|lPLfYV9F2uloSGzDNzOqMu1UhNN~g4ZDteY$A~cJkET6$*XchyO
z32FIU+*)dJX%>3E=mR_ti(9j}VX2NF%NL@Z#=;#f(<~lkxd4ktvv^=RDJ@@$@d%#B
zzY<=9zU^O&5;;aiyByz$!*W~{r{owDGX|04VwH==x1!la;di1(j_<`ga!dp+yZ9>>
z{)6cA(B&m@OpYJLq=!yi7KvUOS46!WKZ!msz4x;?CdZ_hl;aoSjim9bD3Rkg(N3db
z3OA9VZsICk9jBkQ47v&VMBaHOGt~`GgU!^~OcT3CvDd_mY?%>pQ9Q%=9VhReKPl>>
z_-f-i!g~<*M)7##4}@zGzDuG1PlQ=oah9n#TNVEWHd|w}O>B;0{|1|bvf^mk;2(td
zBHTxz|6hc;nl;yC%~RGJVDmIK&%~}%>`k!iP&O?$_zz(|!q^zv;1<FH&01ix7Aos3
z*g}mhG_ggBy$!YqWrI{^%pqKlaD+m6T>TO%)~v-Q>jq`zU^mROf#l`<h{doVErIr&
zkGg^omQt9)u8NyJdN!;GH-gNHqtJ%%K7{+?=yM51xM@D5#pMIM$+T6O+A0KWnZ}lx
z*v*O!1-lt#(^O`JA-o@9Y&>mXM_8^|%T3k_Wp#k9(AWwSyG5~1uv<_zNM%Mi!UqtJ
z$PFS8Zq=+?P1Z_fHNaMCY^8~<QmhMX70Rks&<1XV4<dYwLjN*^)ta^1WUWzF57-)w
ztue9N6zc`M4Q03G29XH2BTP@A4Wbb4(5yR5)>>ta23xDKwI;Ssu`yulQ1%*?8Osqq
zgz%!=AQoZ0X010_>AxKM3*-aaps@`mcBf+F!0tp@QzC5;k8l^lrz!NWK)748?lxH)
zl{EouqsBIx*e1m$f^9-sL=tU~gz#a61xb9rKN(@OW^FcETa<Mr*cOd#F|m6Tn*w&v
zoeh#{gH(ij=fgljG9TsxEBS@DQ+R%mb1h>fbeJ9Oe90qf(zr*|r*UWKp`7g#C!QMT
V{Yh4DpgWCsaULJIv5JQT{STEb==A^q