From bc02ef070348ff2c94f85776d344c83cdcd80ec7 Mon Sep 17 00:00:00 2001
From: Dominik Stadler <dominik.stadler@gmx.at>
Date: Sat, 14 Feb 2026 20:04:58 +0100
Subject: [PATCH] Avoid NPE with malformed wmf headers

---
 .../org/apache/poi/hwmf/record/HwmfMisc.java  |  14 ++++++++++++--
 ...zz-testcase-minimized-6701721724125184.wmf | Bin 0 -> 87 bytes
 test-data/spreadsheet/stress.xls              | Bin 79872 -> 79872 bytes
 3 files changed, 12 insertions(+), 2 deletions(-)
 create mode 100644 test-data/slideshow/clusterfuzz-testcase-minimized-6701721724125184.wmf

diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hwmf/record/HwmfMisc.java b/poi-scratchpad/src/main/java/org/apache/poi/hwmf/record/HwmfMisc.java
index da669354df..8130f7d7e3 100644
--- a/poi-scratchpad/src/main/java/org/apache/poi/hwmf/record/HwmfMisc.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hwmf/record/HwmfMisc.java
@@ -511,8 +511,18 @@ public class HwmfMisc {
 
         @Override
         public int init(LittleEndianInputStream leis, long recordSize, int recordFunction) throws IOException {
-            style = HwmfBrushStyle.valueOf(leis.readUShort());
-            colorUsage = ColorUsage.valueOf(leis.readUShort());
+            int brushStyle = leis.readUShort();
+            style = HwmfBrushStyle.valueOf(brushStyle);
+            if (style == null) {
+                throw new IllegalArgumentException("Could not read brush-style " + brushStyle);
+            }
+
+            int colorUsageEnum = leis.readUShort();
+            colorUsage = ColorUsage.valueOf(colorUsageEnum);
+            if (colorUsage == null) {
+                throw new IllegalArgumentException("Could not read color-usage " + colorUsage);
+            }
+
             int size = 2*LittleEndianConsts.SHORT_SIZE;
             switch (style) {
             case BS_SOLID:
diff --git a/test-data/slideshow/clusterfuzz-testcase-minimized-6701721724125184.wmf b/test-data/slideshow/clusterfuzz-testcase-minimized-6701721724125184.wmf
new file mode 100644
index 0000000000000000000000000000000000000000..abda269ddb7f7dd9f8592ee8ffbde74ca47e92e8
GIT binary patch
literal 87
zcmcb9_Sh^2F!(F8SN#Puh`BSLk%5zeftgK{fq{jg2`tM3B%K(YfqW3n45oD%89_9J
NWO(-fKS(8n0syOI4zK_K

literal 0
HcmV?d00001

diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls
index 099e41e45eaf54a12c0e028ce3fe92af8c16e108..cd4be7f1dc83d8ba098d205341a9fde76dde2a41 100644
GIT binary patch
delta 2707
zcmZ9NTWnNS6o%J2J#DAg>9o)(Q-+yBp*MQJOv|*|TDexhf&!(|LJOivOARdnV+wuo
zO+sK2cL-KPl!wN|D3dT6B0Ts&V#0%|qH^<wB7y>fR#3pT&-`sU(`jaPe`oFQ-}}ry
z(~(=|$Sw23<Ec3x^pX4|)8ak7+g=%Zd0@xj>y$y8QbM1nz7e0|AZiMCrnNM)H$1ws
z$Hz^FR+LoK1u7~7Rq|U?SyfwEUsJZb|3wc`>%gwQt^OSYL;juHwrutH?A$f@Qt9B(
zt9_w|eVffjde01X^=}S;*1yawI6z&AM5z*8xPa)~9HOFTqHqq;kxfLLP1GR^dplgU
zvx8mZ?KAZvX;>z(ye2|#4f@uOCrwk6Od6j*J&vb%8s8%p%u1jHn($0tmu#L$jE>1j
zxB7@O!s$bA?muBL8|oNy=LwU`&3K2ALBkQhgL9L*AIO~=W+FFzDeut{(@feXhUmzU
z(Z^HQOc|9<U5lq|`bw^8<K0I()Ow?4c3NygHM{tjL9DL2cwhQnmR{NJUY5UDjg_%4
z63XPIazm1*w-T?n61kqm?;6f?2-dUQ^tBqz<|6(^oyq1B{#M=5<-GE_rCd;Lx?EJd
zrFbu4UV=5R4hv2oLoAooX*cKccj|(ahRf1<N^U|T#gRu|rnPN3CerymEDoE+0ZVy~
zSbk7#Ql>0PHcPT)`4N_6n<W{RceLdvb@Fjbip`?Wl$)-=q7RIlCU=wyi*uG(epV$?
zrq+^Xv*;t?re9!5w^`C**{3a6)se?7PMameviu55hRu=z%S~;$rcykQt;J=tWLlQr
zV9B&uGGXbK>3m(iCdE7X8D-flGc3yu74~p|e^=K%^6~$n+__S2s#aZYsR3PXt0TJn
zsm|m|=N<J(m%A!3Ti{=+SC_xl0bM2{Cuj5f2LGeB`($`eg><>EPWxoWziL94|5UkO
z$^*6CFV`NbkS>qZX(<L7>V}_-4SC#h^0-(^YaW+4<BaITRATMaRKt1fb;biO1RN8{
z3F?eY;6!yt&vT%q94)1DxhR+fSP_LXIwjvC6>{73@tr)tmDbHkMsFnq2j@y~3SbrB
zry8aLRs&uW7)%4Ku|?IyMAceR>FBM6pk<y|oq%<K{TgNf1^^EW47vd8ZBg|xQ4Lm9
zCVCqnxUH>OfQtaV`2uGE1_74~49)~>v_&<>L^WAa+30P8;Hb8`0iOUot6>h{lTjGC
zm(Qa{a29B@Evq>utHsLlptnVO^T||S6mXF<7w{=$B^3&s4cH3UQYZ`X0zM7cui+fP
z#ejze27Q1_qEJTq1TBeK)KY6ve)KMd;I_8r0WJgd773gSxEye~z~DT<6}G4qF;Q(+
zR6cs!AULY6^8ud$JgeaXz?FdabW{Q0DqGa5n5flOR3Um-L(pC<)*`@X0f#j#25bi$
z6Bv{S-TE)F#ul|ECTgt}wGh2)A&{rr>nsI)4zN_iGQj5nI|K&H0oU20*2P4vx1uW0
zyB>m%w6zj&1K=eMs{lIylNL%;HQ+{D)W(>oPAjSgy`2zj5rMN7@CCsA8rA`B0{lcr
z1pvEjQC%@n-BwgRdb=TTm2$tc0dVtVRH;NQ0^BkgB`_ES?6F1l#6<O4QH|*BjrK-d
zWjvoxRB(M<TA-S!S(--1>gMIB_G->j8>%_galU-t@hhVjIh1G4h>TS89ySgYMDEvc
GLfrp=Xum-K

delta 2397
zcmZ9LTTql`7{}k|<6B^tU6zBo2&^0g1(pR?kOkKSDnu<bFjNE-ajY>zoAko5aiR;S
zai(-=XM8Ri#+s(-qKgiU?lcZHPSg3Ki=s3!(+*}Qu`+}*dfspU#(cXw!=LxJ|HJp~
zVQA7EnlxX3)1A}#sFH_EwI1BL>#+m7_wC((L}jR`EBdkf8Ao!eQjyUfPfIfuj*hes
z6hwOmw@2R@?02kGt)?0+*t^DDdQ5FgQOYeXMN5?Wbdgf2%}PC&qtx|YrMl*e?olc<
zdhGFT${g>Ivpfz<faEz7y|uq!<G6E<n#xq;rE_P8a;Wix3;s_ft7J8kJNLS5(@aYI
ztc-NaH$AIHA31R1*%K!9o;HY#Sf5E%X6$4txt)$wBSYO}R~Ef&%qo5(i=IqBM5Y8u
z9U}S9jIGM1hvZsab1M$L5<4}IUNXF&lTx?kEz<#?8s~?7R8C*;u#W=tC68%2$Jex+
z=lMAzUvZ0;3p|)Zc{IUCMf?}hl47;gOPlUYQHFF*@LBErnlHu!(>ibo0jDkCL?E<K
z0^e}EmI>Z1;=hbQnk|rqz>C^>g~#H7^E&V?0v=nygFt4k1is^-mI+=f;{P52uPxw3
z;3@6=fk)zjw{+kt0-3fzCIUCK^GEjNSqtSN{%Z(i+XC4L?9k4i_;4PD>1RHbCvWmE
zd|At{?8z7TjT^OG=UrMRc{pF3H~1qhzccv-{=q>le{#2$o3SH)dexx6I8-RdDelv9
zi;oscVw%rtnc-<Ie{-lvUi*jpwA|*SBF4YOr;Dh<m?gd<N{T(j6!4M}|9At|Z5Z5E
zO#WaJU}YT2>23K{RLZ^OT2IsZMg--X;Zr6LOAk4COxGnNS&h1>Vk-Bh0M-CjFDAb?
z6)*(YqoEUU8Q{|bBQC(&IFysVn%ab`sk5#o4c<BwT+*#>z~z8xB?3Kw^?+f4k#xYY
zZ7Q5F)nH9|;cY;{aow5$*a&z=!%V;xfLHZY7GT6S6-k&{X-#FryAlOWrP4YN@GihT
z8qNn?1;`pM0BnlG*t?}PVt9R^&9Lq(6Kf7&i@*|P@bhKz`7H#z8_v%(%mus$Fs)qT
zd4Tr<h6P6Q0bAoxPWtm}O}Nw5)}8v{U5$d{x^)p?8{ioY3jo&uUe!~DfNO12YZIo{
zSyM&uu0ugng|rp}-Uqlx!^MF21G2zK31GWzsy$(9y){(|?|Kwm*R4wcHvr}Z1TF=9
z0I*G9qztgbHr0_Z)oD$Y!`q31le)D6a3kO+8U_F#1f0@Sm4IEgsjh^nP1aNp-c2aj
zP${idfSUoI(6AbC3*ajPBQ=2CwyExfsjb#j2;QwInANSz0DAxfL4mb^y?~nqM(P0j
zY*T#+Q`@Ym<?wDp!E3s;9&kJ0g&+-j!+`yFrmAGB0dR+HYDdD<fHl<!@4%fYDe$fU
z+!=?l3sqD~{6aPLTYsW8rt5SKH6(fJ8<lF7o}u@h@A<f+ma=(EExA)aa4)=gZe)U@
VMdrNNP%RxK<HIGfnL0{N`Va5pos0kg