pashko/apache-poi
1
0
Fork 0
mirror of https://github.com/apache/poi.git synced 2026-02-27 20:40:08 +08:00
Code Issues Packages Projects Releases Wiki Activity

Only allocate the required size for EscherComplexProperty

Browse Source 
Otherwise a malformed document can cause OOM by reserving
large chunks of memory, but only using little of it.

This fixes https://issues.oss-fuzz.com/issues/476184826
This commit is contained in:
Dominik Stadler 2026-01-18 16:49:58 +01:00
parent c9b37678cc
commit 66109187d1
3 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
poi/src/main/java/org/apache/poi/ddf/EscherComplexProperty.java
View File

@ -67,9 +67,9 @@ public class EscherComplexProperty extends EscherProperty {
this.complexSize = complexSize; this.complexSize = complexSize;
} }
private void ensureComplexData() { private void ensureComplexData(int size) {
if (this.complexData == null) { if (this.complexData == null) {
complexData = IOUtils.safelyAllocate(complexSize, MAX_RECORD_LENGTH); complexData = IOUtils.safelyAllocate(size, MAX_RECORD_LENGTH);
} }
} }
@ -131,7 +131,9 @@ public class EscherComplexProperty extends EscherProperty {
* @return the complex bytes * @return the complex bytes
*/ */
public byte[] getComplexData() { public byte[] getComplexData() {
ensureComplexData(); // we need to allocate here as sometimes the array is written to
ensureComplexData(complexSize);
return complexData; return complexData;
} }
@ -147,8 +149,8 @@ public class EscherComplexProperty extends EscherProperty {
if (complexData == null) { if (complexData == null) {
return 0; return 0;
} else { } else {
ensureComplexData(); int copySize = Math.max(0, Math.min(complexSize, complexData.length - offset));
int copySize = Math.max(0, Math.min(this.complexData.length, complexData.length - offset)); ensureComplexData(copySize);
System.arraycopy(complexData, offset, this.complexData, 0, copySize); System.arraycopy(complexData, offset, this.complexData, 0, copySize);
return copySize; return copySize;
} }
@ -165,6 +167,8 @@ public class EscherComplexProperty extends EscherProperty {
// no need to copy if data was not initialized yet // no need to copy if data was not initialized yet
if (complexData == null) { if (complexData == null) {
complexSize = newSize;
return; return;
} }
@ -218,13 +222,13 @@ public class EscherComplexProperty extends EscherProperty {
@Override @Override
public int hashCode() { public int hashCode() {
ensureComplexData(); ensureComplexData(complexSize);
return Arrays.deepHashCode(new Object[]{complexData, getId()}); return Arrays.deepHashCode(new Object[]{complexData, getId()});
} }
@Override @Override
public Map<String, Supplier<?>> getGenericProperties() { public Map<String, Supplier<?>> getGenericProperties() {
ensureComplexData(); ensureComplexData(complexSize);
return GenericRecordUtil.getGenericProperties( return GenericRecordUtil.getGenericProperties(
"base", super::getGenericProperties, "base", super::getGenericProperties,
"data", this::getComplexData "data", this::getComplexData

BIN
test-data/publisher/clusterfuzz-testcase-minimized-POIHPBFFuzzer-6325615354773504.pub Normal file
View File

Binary file not shown.

BIN
test-data/spreadsheet/stress.xls
View File

Binary file not shown.