pashko/apache-poi
1
0
Fork 0
mirror of https://github.com/apache/poi.git synced 2026-02-27 20:40:08 +08:00
Code Issues Packages Projects Releases Wiki Activity

Prevent large allocations when writing PPDrawing items

Browse Source 
Add an allocation check which can be disabled if necessary.

Fixes https://issues.oss-fuzz.com/issues/477289649 and https://issues.oss-fuzz.com/issues/479564936
This commit is contained in:
Dominik Stadler 2026-02-14 17:16:26 +01:00
parent 8d53613bcf
commit c92c533d7a
6 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
poi-scratchpad/src/main/java/org/apache/poi/hslf/record/PPDrawing.java
View File

@ -47,6 +47,7 @@ import org.apache.poi.ddf.EscherSpgrRecord;
import org.apache.poi.ddf.EscherTextboxRecord;
import org.apache.poi.sl.usermodel.ShapeType;
import org.apache.poi.util.GenericRecordUtil;
import org.apache.poi.util.IOUtils;
import org.apache.poi.util.LittleEndian;
/**
@ -65,6 +66,7 @@ import org.apache.poi.util.LittleEndian;
// would require a wrapping class
public final class PPDrawing extends RecordAtom implements Iterable<EscherRecord> {
public static final int MAX_RECORD_SIZE = 20_000_000;
private final byte[] _header;
private long _type;
@ -214,8 +216,9 @@ public final class PPDrawing extends RecordAtom implements Iterable<EscherRecord
// Write out our header
out.write(_header);
// Now grab the children's data
byte[] b = new byte[newSize];
// Now grab the children's data, but fail if it tries to allocate
// too much
byte[] b = IOUtils.safelyAllocate(newSize, MAX_RECORD_SIZE);
int done = 0;
dgContainer.serialize(done, b);

1
poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideIdListing.java
View File

@ -32,6 +32,7 @@ public class TestSlideIdListing extends BaseTestPPTIterating {
static {
LOCAL_EXCLUDED.add("clusterfuzz-testcase-minimized-POIHSLFFuzzer-5306877435838464.ppt");
LOCAL_EXCLUDED.add("clusterfuzz-testcase-minimized-POIHSLFFuzzer-6360479850954752.ppt");
LOCAL_EXCLUDED.add("clusterfuzz-testcase-minimized-POIHSLFFuzzer-6028723156746240.ppt");
}
@Test

4
poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestSlideShowRecordDumper.java
View File

@ -25,12 +25,14 @@ import java.util.Set;
import org.apache.poi.EmptyFileException;
import org.apache.poi.hslf.HSLFTestDataSamples;
import org.apache.poi.util.RecordFormatException;
import org.junit.jupiter.api.Test;
public class TestSlideShowRecordDumper extends BaseTestPPTIterating {
static final Set<String> LOCAL_EXCLUDED = new HashSet<>();
static {
LOCAL_EXCLUDED.add("clusterfuzz-testcase-minimized-POIHSLFFuzzer-6360479850954752.ppt");
LOCAL_EXCLUDED.add("clusterfuzz-testcase-minimized-POIHSLFFuzzer-6028723156746240.ppt");
}
@Test
@ -58,7 +60,7 @@ public class TestSlideShowRecordDumper extends BaseTestPPTIterating {
void runOneFile(File pFile) throws Exception {
try {
SlideShowRecordDumper.main(new String[]{pFile.getAbsolutePath()});
} catch (IllegalStateException e) {
} catch (IllegalStateException | RecordFormatException e) {
if (!LOCAL_EXCLUDED.contains(pFile.getName())) {
throw e;
}

4
poi-scratchpad/src/test/java/org/apache/poi/hslf/dev/TestUserEditAndPersistListing.java
View File

@ -24,12 +24,14 @@ import java.util.HashSet;
import java.util.Set;
import org.apache.poi.EmptyFileException;
import org.apache.poi.util.RecordFormatException;
import org.junit.jupiter.api.Test;
public class TestUserEditAndPersistListing extends BaseTestPPTIterating {
static final Set<String> LOCAL_EXCLUDED = new HashSet<>();
static {
LOCAL_EXCLUDED.add("clusterfuzz-testcase-minimized-POIHSLFFuzzer-6360479850954752.ppt");
LOCAL_EXCLUDED.add("clusterfuzz-testcase-minimized-POIHSLFFuzzer-6028723156746240.ppt");
}
@Test
@ -42,7 +44,7 @@ public class TestUserEditAndPersistListing extends BaseTestPPTIterating {
void runOneFile(File pFile) throws Exception {
try {
UserEditAndPersistListing.main(new String[]{pFile.getAbsolutePath()});
} catch (IllegalStateException e) {
} catch (IllegalStateException | RecordFormatException e) {
if (!LOCAL_EXCLUDED.contains(pFile.getName())) {
throw e;
}

BIN
test-data/slideshow/clusterfuzz-testcase-minimized-POIHSLFFuzzer-6028723156746240.ppt Normal file
View File

Binary file not shown.

BIN
test-data/spreadsheet/stress.xls
View File

Binary file not shown.