From 9c2f487c98a36b9b7036bd64a4576bd5a3085336 Mon Sep 17 00:00:00 2001
From: Dominik Stadler <dominik.stadler@gmx.at>
Date: Fri, 16 Jan 2026 07:53:47 +0100
Subject: [PATCH] Bug 69927: Avoid NPE when parsing wmf-file

headerBitCount can be null if the header contains an
invalid flag
---
 .../apache/poi/hwmf/record/HwmfBitmapDib.java   |   7 ++++++-
 .../org/apache/poi/hwmf/TestHwmfParsing.java    |   3 ++-
 test-data/slideshow/file-45.wmf                 | Bin 0 -> 24890 bytes
 3 files changed, 8 insertions(+), 2 deletions(-)
 create mode 100644 test-data/slideshow/file-45.wmf

diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hwmf/record/HwmfBitmapDib.java b/poi-scratchpad/src/main/java/org/apache/poi/hwmf/record/HwmfBitmapDib.java
index b6c59a2dfe..bb2e66bfa2 100644
--- a/poi-scratchpad/src/main/java/org/apache/poi/hwmf/record/HwmfBitmapDib.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hwmf/record/HwmfBitmapDib.java
@@ -243,7 +243,8 @@ public class HwmfBitmapDib implements GenericRecord {
         // The size and format of this data is determined by information in the DIBHeaderInfo field. If
         // it is a BitmapCoreHeader, the size in bytes MUST be calculated as follows:
 
-        int bodySize = ((((headerWidth * headerPlanes * headerBitCount.flag + 31) & ~31) / 8) * Math.abs(headerHeight));
+        int bodySize = ((((headerWidth * headerPlanes *
+                (headerBitCount == null ? 0 : headerBitCount.flag) + 31) & ~31) / 8) * Math.abs(headerHeight));
 
         // This formula SHOULD also be used to calculate the size of aData when DIBHeaderInfo is a
         // BitmapInfoHeader Object, using values from that object, but only if its Compression value is
@@ -348,6 +349,10 @@ public class HwmfBitmapDib implements GenericRecord {
     }
 
     protected int readColors(LittleEndianInputStream leis) throws IOException {
+        if (headerBitCount == null) {
+            return 0;
+        }
+
         switch (headerBitCount) {
         default:
         case BI_BITCOUNT_0:
diff --git a/poi-scratchpad/src/test/java/org/apache/poi/hwmf/TestHwmfParsing.java b/poi-scratchpad/src/test/java/org/apache/poi/hwmf/TestHwmfParsing.java
index dff936b099..3f8e270896 100644
--- a/poi-scratchpad/src/test/java/org/apache/poi/hwmf/TestHwmfParsing.java
+++ b/poi-scratchpad/src/test/java/org/apache/poi/hwmf/TestHwmfParsing.java
@@ -54,7 +54,8 @@ public class TestHwmfParsing {
     @CsvSource({
         "santa.wmf, 581",
         /* Bug 65063 */
-        "empty-polygon-close.wmf, 272"
+        "empty-polygon-close.wmf, 272",
+        "file-45.wmf, 1315"
     })
     void parse(String file, int recordCnt) throws IOException {
         try (InputStream fis = samples.openResourceAsStream(file)) {
diff --git a/test-data/slideshow/file-45.wmf b/test-data/slideshow/file-45.wmf
new file mode 100644
index 0000000000000000000000000000000000000000..629358801701ba25cd4c730d495d351961ee6b18
GIT binary patch
literal 24890
zcmd5_3w#vS)j#KM0!iehEFh>DL6oAwH$IBckkEn>k|rUbqBSH@;3JPF;niBC7HtLb
zfp3czQCn*T1ZiuF3iPYC+WMdcgMwAm7Hh4>THAuK^Zn19xjVbb&az)u7lz;LoO|b<
zbN}aY&%JYJv$VbN>^(%E&@ehHRBpzR9J{KRa*0CAP9^F>=XRC4ESw?Ep=?|aGsD0k
zR5vr!e90UQ>Qj@CPdRR8y%JT<sIP0upIA3Hzr3-&x`Cc}@Z-6gaps@;$=n%vSA<1o
z0b2LL^@J`xDWCqq#b=Bw5<CP%1WZKbhUhEJ*EdaHGi_!M)D<3<Prt{t;~_Xj%Jd$!
zR5b34;<B3JiQ^{^q``E$+w{uj={3@$=+xR=T{9g$pLmkv?AuH9%WpW&`YA*cM>4(k
zy5n>m<~YCnq2s&`5c_T?`rBs5nfEZ!=7mgVX~fyJhUu?;nf6v0I(tLJS-fk%({Bk=
z)%u82@b`$*^*BQV%OcLGb&m6e3z*(LoM_VO{Z1idzxNx*DSVU2{EF$>V;yJAt4#OY
z<TxwBMDM*Ban??TwT~z2SxL0yC8i}q9p{3|h%*H^_m(<N&3BoOxQS`TeU4Lm3{%S~
zj&s#th;BR8ah|vX_`V-;-g=&BNH)`Q;NG#C>E~HYId3@5_75Cq#MO>7_BNs)pB-@?
z9ZPiIbI|jPOkKZB^yo;(Iqe^gGXQ<hf6;MXEF-$GFycH^<~Uy;%e4PV$C>|W#2I`o
z(cK?KoO8bGI2V1$G+{PT+t!FPY_Q`j?&>)0zjB;U?v6O)RyxkT6NqXX8mIjMmOqSo
z5hIp*k?G!@4hMY%^}}b5ONVIy=zi1<pJBJY2V#S%uS@p@x5Q;1@OJa+`=h2ScujYv
zJkUKMk16E#l7|R2-Hj)w3+SWCxNW565!4%>(l^tQ=+|`5aZBWW9)&)oO?P|}^}uIu
zItritU4$XGjiF;uQ{UQJeWa_Id8<3*_r%#7XMdbWk(o2Cetye5+~?91Peeb<DeWyC
zd!5+fKFVh7?9S~mlo{v5%EG3V=)Vij9Gpe@g|q&rx}i?Whe5xdK-(Wk^W1wy)y>ly
z8|KfFyLr&N7i`-HIwKp<IB?c9PH&ur@kmEQd8sV5m0~C3N-52cm68Q7bb*g@VP)yV
zyE{+&07iH#2Oba8;O2^^k!T?`!j%J_JYehwls$m6m+P}I@JKuyM<>zAG@MSs=stta
zq7hU;=TPOu@lCf0K8iT<PbmNB2U2U_?In2ikO-7|qGOI^S~Ro9t(Mq00u<AQ5uzvW
zK8hwjb0IX8woHyQ7j5fSOr~{}%YfImopu(};sujvf7iQ#U!v;>wC&QBY1y|<r177O
zfi_mc<pY@>E<Tf*UTA=R5_jG3*?R}ka}VD@o1fm{^omM;`(>h^_PvW%{BxxvBO?U4
zO!p3ATJz6A^rN%p!73`5=og!a{ygkDdh$Q#!tx?n#?a!Ah@L-T0nOX96n2%?64lo|
zO0?msB{bxY1+G;^W5?Nq)L8fJ0;*ha73?q84x#?WBBnbos-ugBcX3B>2=^RkSRbb1
z5x3KCr_Dhmi7or0?dyLgdiNVk=$p<Kr#otUqn_zZvG1I@G<(}LccgYlt>c{iKGD!c
zWwf+n75ptDxH}{~-$r!t8)Inwu^&6xsF$(Lv~vT|BmcXcPR*W)$P~#v(RR-`raODj
zrLX;ErJD_MaEIxbpI|P!;95Gm@#~0i$sU5C*Ih&}Ty`Nf*Uvy)Ydz79bC|kqYoHs?
zALnL+FzzsI+XxAx=F(+9{5D32NRZk`w-UWpF_oq^R$&-uL=cU98uRA(Mq2k#1BQmw
z9*wqn$g>l(Z=|!<TuS8?B{e@o*p<zYc}YrHR8dmcG`_H;Rp!#d*2el4T-~D=-9Ql}
zfH8#=I^1imDQp@%rLt9ARanzHyLwiBNnLfz?B=@qx(2sa0<@^Stf{$idW(z&ao#cv
zpWl+hu0$E#$_fHUYg4H!vN!0`rq&ttsmXj1GPBr0XFw^71dmrl5>1%&)uze`Uu~5e
zUj@n;t@GV_u()hUMIKw+-NVo*MjsgxF-6xtcIXblJ!Yz<DF$=OX<?}C0FBdO)JsI`
zA^i*U<gryXat`&%`M8FtrLn0=*9Sxum1CRSZmK4J*(LZZ@K<@%dr~rl&!);LV=G0)
zlDd|b>MQF&xkoR`4<T<@731y(IQ@iBFPdtZIygP12T9_dxE6s}tQ`_^J;Lr}d`_-z
zZkW+<<$3v)jg9$Ocg@d7POojruWqi(uf}v$Grg`hzqK*Hbm*C1(1o3wF~KR*YZ0!Q
zv@BJOt?=y5pvSqi<3!q93;p_8HM6deP=LY?{^8os^<p{dU;>P%o`B9_C=!Mh()?(x
zE@^tgm7Mrv)2HkA-u;#LHa@a`<&QqD-n{YRGe@5E&W2sc7J6Jaw(oaV<o#yj+wWAq
z(dXK~ZCqVx-YvQ5PowSqwKum7yt-o7#(R!CWAM0dzA-v)caNVmZ~1fdzHOKI+CF;6
zUw?Pqmj?cEW8XK1J5%3#dGw40H*8!u`R}8js(k6{N7j6AbQvr+9Lxh_PLP*hamBwz
zTUWPxz4_OM#-jg%tL&o6rjuNtGiJ>%nlY=f0z*=K<hYfXWsbsJeidBCVN4qa1!^e2
z*!A)WuVzzmaaEIG%BN=ZF9FR|Q&+B|k1Co9weGRj277m2*%+52k0zE^dhMzz2D^1(
zDlV&Vsev>elq;{XsHn_q*IK9)H<ny%>sm@|-Gnh7MWvSNR#ax&eR*<alVnJlaXLQP
zRN$UykxOOGvx=?()ys=iWFyxWxGqHXLbnXU%~H7IUUA30%0=62J=%S6wesVNR<zJ9
zYrWe8%BXeQfgs0gkLwi;P4%+k((xffr>df&NfvFyGGfFNWwWMDI7Vu`G1N&jS=v%n
zaY@vEO7UA|kd=jdli|OzisC5UT0FN3Qy~uNgQZ(qjk6ogs!<Na0-gt^HOb0ETS=_u
zg{EYU$E0;iv^G8otqo4^EmdPAGZVK|6_p4<EmbWpftoQDUd=Rnt5S)|k`_GX;;5Zm
zSt7nWl3T~MxKs<3Vl66(R`F#A;7#wjm&E}zocrTbEZGh;=}Dwc619(9vuDp9BXh_;
zC@Qq}Sb(7_TJA+zOd)p!NdX(LKHIHFm5Z=|Ls(@KjlmUbHk`sOr}~*FA9SK48qSGs
zdUe`!7FKZZMOHIC&BfSD&{}zBR9tdxN3GZ{SKJoWOK6KT%d=>_e$paVUOV(utGI!H
z+qRcP7*u9@HkgDy9>E!O)&8^HRr~RwY+B7&QF1+P;_GPxFLBG-#-dTnv~%`n;GrN?
zw%($XHQIojCR)P{w3b_FJrJ(;Jk=SOcq(j`0KZVZO=GmJ!HOEsJ%N&xvmO>u&g)?Z
zr9_&d`TQd?+l$Db(=NUiIw!ZkM%0m6iCd?GRwmSBr}d8HRf(NH@p5{d@1#*?5sfz2
zyXEBAGl5QH=lk>q-{m5Do9_V1AY2*&*8{)$eK~lvt&N=^Ny>RAWGm+)*g+|grZO_2
zul2@D{19#7`;md3q6lv$DJR!@CB5une*mo&`-5Ix*ldOrt$WD38#c)~?nnR1@f1)f
zWu@ery?ggYGpW!v7iwOSj2k;sNQ+qX?U+f@w<!WQ>7hNyj-SjB8)zgir5;{9*!<^b
ze$g;^hVb)dtX^R8^z!xAUhTM!@Ab3L+Gf|FtF^O@q*M5DI-MV*3VxMJc_&HPT1Kxv
zcCkU&tfkXD&#$FZJ!+jth0RV#(P(%avQpuA4E-y|t3aWYl@c6DzGq@B?njdE5!E7{
z(FwJa9@b78NmJ-~ywO-57tyjdl2$UaiiW|F<XbydFR;YP^GAq{r1)NK{HCLIPz2d}
z)taNLi$_catu~dk(#)azOe;y*T1KzF&$OHgbUH&+08J&(O`$cWoPHcPDhn{?1&`QN
z<Fys|H4cSOvDz6TNRo0&AIdogc2G*BrLQjlCOxzVo6U;&tkB^c3Tds4247FBlSXXf
z*6DaB*~&uhS+q6_bqN)4PUv)QGoyK%Igh2B9D63vY3vN=?9gf4HFO3L;#nrprWyg~
z0l)ga09sf(>&i4pl5(C7`N}yOc2G*Bsf<kMYrWAwG?4p*^6~2ABgzVWNKy{+hGIXK
z`+C@q<$fMDko&t-*n9{ns*hinoFgCoD+gXQc$7#<-xf&+QA}j&$XL#Ao0+^eFke{z
zCTpEZ&pmJI`B|L5HWmCFPALa@E`3|3I?8n%)w^h(H4XebGo7Caw5djv;MWKcK5J(k
zM?sR5Q!JpI6|jS)o;wKR=oe-gKWT2~1*VO^VYafA4;61L1De}`?k=3m_-6<3##Z20
zOA24SH-aRoH>3~cY=a$?5^3p2-~VqUucURRi53RxX?4<(oVax+NAjcQ7FuPNQk%Jl
zUNQHPln<5Ixdmu$0J>%L7_N4O)OnSm5pW;ytKWss+F3_(kR;_?iawO{9@s%Ck(TM$
z`93w688kA**h$<vld*HDxt*%bt@J&!jTV_UlJcPvJ9p4!<~F+A+)Xt=cxj+bH3Hgz
zU;Tc2w5?r<2T4-STVVm^+y*-+CDPK5om6K%yP8@IeV3X$sn%=)rl&~CLEcd8chC({
zt$k{VTNj1|tJ!Ukl?un5=wB_c2`H4ZQgY3ZAx?C!MreO^E-2-RHTFqVTEwE4y&Ns4
z6XB`la=V*9iC;AZ(N&q<HSwREMZ@4HZ2u`JRxhx4dihW4s+WDjj_>ue&^on9^7ro_
zH>3D*Q^Zs7lr#lTNm5pf7EMR&>G&j7bh^45&Fjn<oJBx&KCkj@*%_C{>v_PhaVQ#D
zJL{YfBuP0%zH*8UloDy_$6%`Z+Hw7YnaEqrg?KVtj3@1-Eaf0?DE0~bvWIvAzvxjV
z9u+oAAw~6>2wACcT!{XaV=+)DB~sG2MQY>GzRL*l9Nt33f!bUD>e?!C>r6zd_1qkO
zpXTsxynT^V==Z%G);V6&w`HnvrQ=AE&Ea<XHorr&18u7D@jmdY--XZGS;tY3B<0+V
z_R1+XurloXs7!ieGDm1CJ2Z(4xQtI`DXS(2-y0E<FCARMA)d<nsp<gUI2riWlEN47
zjUY+t4F?ub&H|p~QC3>6*|%?BbcPn%&d~mh7dw+li&*>ld&TK^HMNXj_aDp6Omn;m
zUNMWV!85c!i^b~Y&(OZ!*2bDy;(N90f^@XDd)+}-YiFBTrkWGYWHZFnnEgE6L|Dq&
z#-iznJrn3OvkWnpz$a783Fd2NAW#P3(uj-zzeePVW~$fLuDpXJDd!N#R?hug<55;x
zuGznTe>9ebwy~^ZU1BxX=h7k;r>sV`oQ~a6i)A~z5%1(bM89RwIVXv(!LjW7J6110
zmVLcdFT2`|@Ab3LI<<Mof1k6J_fQ-E3vY(|@uxh1rK}h&nvU4h@ky%aG?w?!HvTtl
z$4s#k2)BB<wlgk`$N|8w5xFPY*2Z#>B<1`UETEkI*uEhbX_<;an@=6S*1W(K-dO0Y
zXMF4=Zk-A5*gRNcUgOKn>wL0V#iy7bBM-cG03YpS`&7G=r+Haphew4W;S{g#H7}>&
zO><I?*U`UvZWT}{B~mi&xeXKwT~Aw5^jzZBne^ONvl@GC>u819LHA<sNXm!Gs9!^W
z1hO{lfNVFb=(mA3)v?<K{Ob4B(87)oT^k2UQcmeZId{MgN?B>SX6R6VzeH#|gC$<I
zNQ+qe9gO{wJ$M(rh3uYt=aq<P7(9ddSw8U$=Id>3tgEs3UhTa3`Ny)qU-B)yd0c2d
z#@~GQ=Tg&$rK}h&nvU2rflg<zcDl;^ldd)cc#(M*2!n8GMD_uGjl&P=TODFKNRo1X
z3=1e{e=heZk*57+LSH*4tTek3hi}n4?kV){L&h7s=>hXL&JSokzQMHe0N&UQ9n_|x
zg^ha6EJ2dg8*ib#a*7?S45e~S_x4D1Z7j6SEIQwJ{MMYbh>e<q@tn7tU*MPcr%C7b
z;LPHWzQmcu*W21yGfRB0HlKa|v78nCuG6o13va}^neXRkaY|V+S~MN8X9AsOmMuW@
zGH>EP@-y(x#z0&ek%C|2Q24B!HI{=UDW_OKIq!!ZETz(NO(f#Svd}h`6VE2nBG!Hf
z<2i2$59UkxlfaxL8V1L*@9)I1?CWi9tg#&5t4hhlUj_KjdHFn@2XZZ+%cVS$%UQ~b
z(W3FOtLMwnPW?R{t(B^U45dmTNhxWklG2HOm_6xX<3{ayG0+d?5rG=STR(B@bkL^y
z9BXIAIxgfoKA)HJIXKS;U3dWOnLwwRM3L3;7@i4F)&}AdZ-?>LXQ}6R;j?zuOcEr?
za@KjAVgrpGD@}Hc{J+W(+Gdi(vxl_MzWouY<#g<pGyri^d$8{(zm9#s5P#s=p!19%
z8U|+)f3zjeB);C(#v1wYz3SgIh4D_Vuleu)$||*J&c<IV;`a`^97pZ=o2`5r#(g@h
zO!QmN!&&|SP_#GL=Og!<_s3-$8arE1`t?E$cUz?Ixl}c<<8hS9<#SC}o?!k&W#&!%
zoky<cNA*kWH@P#1PRC;ok2YQSJRqvVYW37O8^_`j`-OqM%v)jR@+hyZ-SrBRq?}!0
z0ik-s1`|9=q-9QD>x}`>w=cYrXI`ZqW;;n)Q5<}4WV4{@2Xsf9{dB|uys;hl)uvs*
zr#e_~1WB^q(6P}QHpug2h_uXm<0C$s+c6XToWF>31WWl)@y0nWvUVN?R3rGWfw<JB
zBY<DMaW>k=dm~7aa*jkl$|*KbN~C4p8~gBH(&5Ya6}|>*{RJ%LL&Y0Yf#z%2F|Pr_
zOZeY`xYVW#fL|?n3Hai@5hO`DFN1vLyaskqN~C4p8-q*@pNR7Wa|;i0&zb{hU5mDg
zxQ2&#R4pIxQejtuy*tROOU@zvE5|KS$$};GwkR}JT#Rp@&or%krJ2W44vI`c95$6)
z<YBMmF&;I^qr#AIrB_!4S*dVTpntVRD^Mt9r362l`YXoRm6!i)>aWbww<*+4dT0;!
z{m(9Z1NCwGlIP3B&t<_YN`J)|s~5VDljrYD+jo%hz1nqb=GM^>>Kpn!_Q|X*^y+&_
z%NA|N*5dVCgWn2>?x_jwuhoUS<NIc55!>6r*oSzHjxmqYhe=0Fu&;gVB=&X37`E1n
z@6|@w=kIG9;p=!<Xd(Y6E+S+9GB4iOiCd?GHnryjf7gUVKfpKb9^l{LhZmnQPqUO2
zqqUuHY0X$G@wa1|iSCb5E5N6BpN15@`-5m*a*hY0-xvH9P$;jJ5*+u5bAccCe*CC5
z>DV-Bg2PSi!9F#Y@e@3V7kgH;*~Z5s8V1L`Z|%f!@9P~ON%6hfUjhlr8a|rXUVQ8M
zC^BU|JANMG9Xyv;C5^#g>-pA+)e8oX8;_l5i1=Qu&(evR)W)H|6TcceMyvT2#LY6C
zH-cUo7(wa#Bvo|!ynZA6aWl@_fNC*67>G+Vz>R35qgXVuQL6iAL6Vg77PMDRv4K)n
zTCVB&k-rl!v_I~okB&2-w9vl&m`LAl=qTx-J=kwtE$1b?h+8}x=$PubzY!eEiN`3q
z_w?#GM(qq3->dyQ{h&<XTPJqJ_?f^*ktyrhJo*HG(Jbcfab7GyR0s|k!4e<A*7L0s
ztCw#*UvJgRS}(p=+e?u3d^EAW_}24LWXgIrkKV;M;4gkJi_3el>yYHu^Q{xBmv22^
z?|AFQ_o`CTdkd6mrm{P2*O*)J9kZMGVe?ad&^*CXR*V)+N9>u%@|s6)<?rBm_&WTp
z>SA*<kOkoq--LnvL2os5YqYK1X$z91oHxM&LiL6X9`-1amZ=!DBX}3TWY+M#fqKTr
zPU6<-cqi!F&bD6r_vhfJ%y!;vUg0-Qj@fDQjFgl6=oPeAOTWS!J*v&4!jQ1jtJ}^`
zxl|a^lX3WWbIh9_uay$K7WT7D>}d6~kUyF;6#;ez9B%N<X!DX60gChUp8?~0%}(?8
z12glBgz|3d-}sG)Fs?)ky^n<+u~2GI*tBUAZQ8kse)xPlIiI%EiWLu{dZGTTC{m^V
zUZ(z7rW6nZ?tFQs{1z}|%5NCTHFiHh%UPb4dbw}2@Y~*4U*Q)FjTuxizooUVp2G5f
b6UgtMA4iMjrI#z`<p1>c<Yu`)s7&;K<ni30

literal 0
HcmV?d00001