From df5604a1d724685e28f2e7c3ae37dacac49ebe42 Mon Sep 17 00:00:00 2001
From: PJ Fanning <pjfanning@users.noreply.github.com>
Date: Tue, 17 Feb 2026 09:20:28 +0100
Subject: [PATCH] check input stream read params (#1012)

---
 .../org/apache/poi/util/RLEDecompressingInputStream.java    | 6 +++---
 poi/src/test/java/org/apache/poi/POIDataSamples.java        | 3 +++
 .../java/org/apache/poi/hssf/dev/BiffDumpingStream.java     | 6 +++---
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/poi/src/main/java/org/apache/poi/util/RLEDecompressingInputStream.java b/poi/src/main/java/org/apache/poi/util/RLEDecompressingInputStream.java
index 55ba486407..8a6b9bff82 100644
--- a/poi/src/main/java/org/apache/poi/util/RLEDecompressingInputStream.java
+++ b/poi/src/main/java/org/apache/poi/util/RLEDecompressingInputStream.java
@@ -20,6 +20,7 @@ package org.apache.poi.util;
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.Locale;
+import java.util.Objects;
 
 import org.apache.commons.io.input.UnsynchronizedByteArrayInputStream;
 import org.apache.commons.io.output.UnsynchronizedByteArrayOutputStream;
@@ -101,9 +102,8 @@ public class RLEDecompressingInputStream extends InputStream {
 
     @Override
     public int read(byte[] b, int off, int l) throws IOException {
-        if (len == -1) {
-            return -1;
-        }
+        Objects.requireNonNull(b, "b == null");
+        Objects.checkFromIndexSize(off, l, b.length);
         int offset = off;
         int length = l;
         while (length > 0) {
diff --git a/poi/src/test/java/org/apache/poi/POIDataSamples.java b/poi/src/test/java/org/apache/poi/POIDataSamples.java
index f976cd0c91..6106e449f4 100644
--- a/poi/src/test/java/org/apache/poi/POIDataSamples.java
+++ b/poi/src/test/java/org/apache/poi/POIDataSamples.java
@@ -21,6 +21,7 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.io.UncheckedIOException;
 import java.nio.file.Files;
+import java.util.Objects;
 
 import org.apache.commons.io.output.UnsynchronizedByteArrayOutputStream;
 import org.apache.poi.poifs.filesystem.POIFSFileSystem;
@@ -246,6 +247,8 @@ public final class POIDataSamples {
         }
         @Override
         public int read(byte[] b, int off, int len) throws IOException {
+            Objects.requireNonNull(b, "b == null");
+            Objects.checkFromIndexSize(off, len, b.length);
             return _is.read(b, off, len);
         }
         @Override
diff --git a/poi/src/test/java/org/apache/poi/hssf/dev/BiffDumpingStream.java b/poi/src/test/java/org/apache/poi/hssf/dev/BiffDumpingStream.java
index 0591b359cb..2737199f29 100644
--- a/poi/src/test/java/org/apache/poi/hssf/dev/BiffDumpingStream.java
+++ b/poi/src/test/java/org/apache/poi/hssf/dev/BiffDumpingStream.java
@@ -20,6 +20,7 @@ package org.apache.poi.hssf.dev;
 import java.io.DataInputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.util.Objects;
 
 import org.apache.poi.hssf.record.RecordInputStream;
 import org.apache.poi.util.LittleEndian;
@@ -63,9 +64,8 @@ final class BiffDumpingStream extends InputStream {
 
     @Override
     public int read(byte[] b, int off, int len) throws IOException {
-        if (b == null || off < 0 || len < 0 || b.length < off + len) {
-            throw new IllegalArgumentException();
-        }
+        Objects.requireNonNull(b, "b == null");
+        Objects.checkFromIndexSize(off, len, b.length);
         if (_currentPos >= _currentSize) {
             fillNextBuffer();
         }