From d648c6d652f1d56f05adeb17f3f5891c0202ac57 Mon Sep 17 00:00:00 2001
From: Dominik Stadler <centic@apache.org>
Date: Sun, 20 Mar 2022 06:52:51 +0000
Subject: [PATCH] Fix issues found when fuzzing Apache POI via Jazzer

Throw RecordFormatException instead of NPE or assertion for
cases that can be triggered by a malformed document

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1899073 13f79535-47bb-0310-9956-ffa450edef68
---
 .../main/java/org/apache/poi/hslf/usermodel/HSLFShape.java | 4 ++++
 .../org/apache/poi/hslf/usermodel/HSLFShapeFactory.java    | 7 +++++--
 .../apache/poi/hslf/usermodel/HSLFSlideShowEncrypted.java  | 5 ++++-
 3 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShape.java b/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShape.java
index 1c6f6c3945..3b69f66a0f 100644
--- a/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShape.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShape.java
@@ -50,6 +50,7 @@ import org.apache.poi.sl.usermodel.PresetColor;
 import org.apache.poi.sl.usermodel.Shape;
 import org.apache.poi.sl.usermodel.ShapeContainer;
 import org.apache.poi.sl.usermodel.ShapeType;
+import org.apache.poi.util.RecordFormatException;
 import org.apache.poi.util.Removal;
 import org.apache.poi.util.StringUtil;
 import org.apache.poi.util.Units;
@@ -167,6 +168,9 @@ public abstract class HSLFShape implements Shape<HSLFShape,HSLFTextParagraph> {
                 LOG.atWarn().log("EscherSpRecord.FLAG_CHILD is set but EscherChildAnchorRecord was not found");
             }
             EscherClientAnchorRecord clientRec = getEscherChild(EscherClientAnchorRecord.RECORD_ID);
+            if (clientRec == null) {
+                throw new RecordFormatException("Could not read record 'CLIENT_ANCHOR' with record-id: " + EscherClientAnchorRecord.RECORD_ID);
+            }
             x1 = clientRec.getCol1();
             y1 = clientRec.getFlag();
             x2 = clientRec.getDx1();
diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShapeFactory.java b/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShapeFactory.java
index b13789f843..41692b77fe 100644
--- a/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShapeFactory.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFShapeFactory.java
@@ -42,6 +42,7 @@ import org.apache.poi.hslf.record.Record;
 import org.apache.poi.hslf.record.RecordTypes;
 import org.apache.poi.sl.usermodel.ShapeContainer;
 import org.apache.poi.sl.usermodel.ShapeType;
+import org.apache.poi.util.RecordFormatException;
 
 /**
  * Create a <code>Shape</code> object depending on its type
@@ -90,9 +91,12 @@ public final class HSLFShapeFactory {
      }
 
     public static HSLFShape createSimpleShape(EscherContainerRecord spContainer, ShapeContainer<HSLFShape,HSLFTextParagraph> parent){
-        HSLFShape shape = null;
         EscherSpRecord spRecord = spContainer.getChildById(EscherSpRecord.RECORD_ID);
+        if (spRecord == null) {
+            throw new RecordFormatException("Could not read EscherSpRecord as child of " + spContainer.getRecordName());
+        }
 
+        final HSLFShape shape;
         ShapeType type = ShapeType.forId(spRecord.getShapeType(), false);
         switch (type){
             case TEXT_BOX:
@@ -167,5 +171,4 @@ public final class HSLFShapeFactory {
         }
         return null;
     }
-
 }
diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowEncrypted.java b/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowEncrypted.java
index 273f9e87ed..1dfeda874f 100644
--- a/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowEncrypted.java
+++ b/poi-scratchpad/src/main/java/org/apache/poi/hslf/usermodel/HSLFSlideShowEncrypted.java
@@ -47,6 +47,7 @@ import org.apache.poi.util.Internal;
 import org.apache.poi.util.LittleEndian;
 import org.apache.poi.util.LittleEndianByteArrayInputStream;
 import org.apache.poi.util.LittleEndianByteArrayOutputStream;
+import org.apache.poi.util.RecordFormatException;
 
 /**
  * This class provides helper functions for encrypted PowerPoint documents.
@@ -100,7 +101,9 @@ public class HSLFSlideShowEncrypted implements Closeable {
         }
 
         org.apache.poi.hslf.record.Record r = recordMap.get(userEditAtomWithEncryption.getPersistPointersOffset());
-        assert(r instanceof PersistPtrHolder);
+        if (!(r instanceof PersistPtrHolder)) {
+            throw new RecordFormatException("Encountered an unexpected record-type: " + r);
+        }
         PersistPtrHolder ptr = (PersistPtrHolder)r;
 
         Integer encOffset = ptr.getSlideLocationsLookup().get(userEditAtomWithEncryption.getEncryptSessionPersistIdRef());