From fdeae16b0c617400d53266e36fc6123e59bbaed0 Mon Sep 17 00:00:00 2001 From: Dominik Stadler Date: Wed, 9 Aug 2023 07:23:04 +0000 Subject: [PATCH] Bug 66425: Avoid a ClassCastException found via oss-fuzz We try to avoid throwing ClassCastException, but it was possible to trigger one here with a specially crafted input-file Should fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61317 git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1911565 13f79535-47bb-0310-9956-ffa450edef68 --- .../org/apache/poi/hwpf/HWPFDocumentCore.java | 7 +++++-- .../converter/TestWordToConverterSuite.java | 3 ++- .../converter/TestWordToTextConverter.java | 3 ++- ...nimized-POIHWPFFuzzer-5440721166139392.doc | Bin 0 -> 17936 bytes test-data/spreadsheet/stress.xls | Bin 62464 -> 62976 bytes 5 files changed, 9 insertions(+), 4 deletions(-) create mode 100644 test-data/document/clusterfuzz-testcase-minimized-POIHWPFFuzzer-5440721166139392.doc diff --git a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/HWPFDocumentCore.java b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/HWPFDocumentCore.java index 325abc6df8..22bf28eab7 100644 --- a/poi-scratchpad/src/main/java/org/apache/poi/hwpf/HWPFDocumentCore.java +++ b/poi-scratchpad/src/main/java/org/apache/poi/hwpf/HWPFDocumentCore.java @@ -54,7 +54,6 @@ import org.apache.poi.util.IOUtils; import org.apache.poi.util.Internal; import org.apache.poi.util.LittleEndianByteArrayInputStream; - /** * This class holds much of the core of a Word document, but * without some of the table structure information. @@ -187,7 +186,11 @@ public abstract class HWPFDocumentCore extends POIDocument { DirectoryEntry objectPoolEntry = null; if (directory.hasEntry(STREAM_OBJECT_POOL)) { - objectPoolEntry = (DirectoryEntry) directory.getEntry(STREAM_OBJECT_POOL); + final Entry entry = directory.getEntry(STREAM_OBJECT_POOL); + if (!(entry instanceof DirectoryEntry)) { + throw new IllegalArgumentException("Had unexpected type of entry for name: " + STREAM_OBJECT_POOL + ": " + entry.getClass()); + } + objectPoolEntry = (DirectoryEntry) entry; } _objectPool = new ObjectPoolImpl(objectPoolEntry); } diff --git a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java index cafc6c3dfa..71f4327133 100644 --- a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java +++ b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToConverterSuite.java @@ -59,7 +59,8 @@ public class TestWordToConverterSuite "Fuzzed.doc", "clusterfuzz-testcase-minimized-POIHWPFFuzzer-5418937293340672.doc", "TestHPSFWritingFunctionality.doc", - "clusterfuzz-testcase-minimized-POIHWPFFuzzer-4947285593948160.doc" + "clusterfuzz-testcase-minimized-POIHWPFFuzzer-4947285593948160.doc", + "clusterfuzz-testcase-minimized-POIHWPFFuzzer-5440721166139392.doc" ); public static Stream files() { diff --git a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java index 4bb810735f..30e46e5d9f 100644 --- a/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java +++ b/poi-scratchpad/src/test/java/org/apache/poi/hwpf/converter/TestWordToTextConverter.java @@ -51,7 +51,8 @@ public class TestWordToTextConverter { // Corrupt files "clusterfuzz-testcase-minimized-POIHWPFFuzzer-5418937293340672.doc", "TestHPSFWritingFunctionality.doc", - "clusterfuzz-testcase-minimized-POIHWPFFuzzer-4947285593948160.doc" + "clusterfuzz-testcase-minimized-POIHWPFFuzzer-4947285593948160.doc", + "clusterfuzz-testcase-minimized-POIHWPFFuzzer-5440721166139392.doc" ); /** diff --git a/test-data/document/clusterfuzz-testcase-minimized-POIHWPFFuzzer-5440721166139392.doc b/test-data/document/clusterfuzz-testcase-minimized-POIHWPFFuzzer-5440721166139392.doc new file mode 100644 index 0000000000000000000000000000000000000000..c1dea2dc4d220812e3609e3ce816855c62dfa407 GIT binary patch literal 17936 zcmeI4d2m(L9mmg2UdRh!2?4^Ua)q$S5|Xg070CjI6a-mH4KDMt00~K6`jP;NwgyGU zc60`pcIZq?$5yP}{;1vC>43J{PA#odTSq(XNcp3+Gt>#-=-8=w{d~`TFL^H{c_D;! zD({5vy=VEIbAIP{erLVE$E&}eaQf-*PXC+fo*9c2siwW}A!nj^*8hM9I8$B|3mxIQ{vOJiavGc`X z=o8T->+g|3B3UUtR{qiXTXBiT{}}QP=lFLiPvd_Um<@8l955Hm1M|TRU;$VN7Jp~b08@M`m@ z46W$KoU~7~PV@K1+Nw~nIk>CE-4P5`FD?!4ZEdJ&Y_V&?#;uAg4OZEeK>j=eHa%~Z zdH2TWKjjrP&=dXhDjkSufV6B@mC@`%cCsQx3uNYMvpU&8Eui!B=Z`*_05^ zSXXAcW}Xk9Gi5|xV|MVjxL2D3#-)sQP)l1I&0b1&f!&b{vy_xiGAsPfJ>@=nbdtH-@60kwvI?9n zyd|Fvww3BDspw?mqw{^tDP1!QoJvP?OBSsQz_{IVrdpG~AgVW`H2PW_GJB5~q2YIWc zUOZSSg($1R_L_LtIG#@)$2{R^P90^|TmADSDITX;9=#SmXem?7gHT=<(KpqxoAykj zr!<0GD_fVi3$(qB@GfFP)Y(eAC69KVIxS3RoH>D9C%2lQnPZ=Gs~y}t>z~9>OJk^| z(H~hzIE~K8qHb|JI3A>d#ZK!0Jk03kLG?y?5I+O)p!9W)F;6kAd>-J9IL(zQJ}(d- zn;MCYQeOOyEzzd>Z3+G!%BR?ZQ;ZftJ1h63T!N1Ra@fMRuw2h&tFGdsJ9!me!Hn-` zOaCZ1#Ii2BY_|1(0P~^OZok)RA8Dx1?)IhGn%p&09VF$m;8Dii0Ao_`e1n)Qlu<$+Z&Ew& zCw{!~bxNfjlhLUHqR#0EhlLa~+U8TqI@*Z-81Ju+@#1YaB8*>{%+506JAh*j@-%h; z81sQ|C@)X-Ix$AM%gHw!ub&`R6$N5guLlt0SHNYxkHwv^}uAc1W5CKh{_aa+!jh*+$g z`h9F;ZEIk4Yc?+HbB*2K=zQG3TBf~ZKINce3Efs!#0J)K?TqNUxr3{{h*h(env_Qz zzmu>YR4xI>%YB0_C%_)mYpKWaU}}%$xEM)0{>K>izeGfPti11g^625C=bxUt8+aY? zByB37cT()R%x6-M=zJC*s~EX?3^nG8q`OQBWalR=ATog@r0bW!ul4l`xQ>Kn?t`M# zRGW^~=O^_h4$eNE`F85t=+VGVn}P+9Jn!>11$H50xn6@2i$)jmo_hbJ z>&`eAoPB=Gm8v(cA_85UKebct?KIv_Km3*RA8gu_^{vPKX5qZ=y(vYQN&=fbyAf&P ztzF>(pynO|+W8#;qWKcgF7P>^k@$U}em)5#i@yMN59Vzk6?zv~VN-`V8WVZ{^F!~> zS7`;SwA*8&b@;_r-4)Ak8jtF z?SX3dwuaiqHn*f^Z&e!;bZ@%YJc;}&`)YJ&kH2U(x*6)$>=T{@~dEUg6M<0xdgcm7q2PiO^RC2PIsNzL{DurMI7DAdAfvMZhr3ME>9^H zd>hJyu87o+M`G^e9&;OU>q#reFPd_ja~-}dq}|CHqQ46Asq7ulssx`?LRuz&>$%A< z;D%rIts~^szQNX{9e5FWckpycb9t9i?po?{`z&*> z6P~u%HhJZ3j4?$(oYTX(sySzg!L))kR&3#p~HPPNc$Pdv>{#D~~FYtP@p?w|ED zvU5ltlat3}?^r&|={bgL49A8?(w{sgUv#if9+RbzSGP+ZlN0rS@|c`FCMVL7k7|1I zn4CN&TixzRq~Xb9av}*0Ej@Wm{^%W(T@K8xT;9w0M`j~3M~XeBZ@0&8T`_C`x@^#8 zKz|2tmo(2rsm2=9gfLHWDN_b3LHsg`QAnmzGLvefuGmWk`AdP`ebus^*yyD}MK?wK z#fEnYaT6s+Iq7L(fIKpf5eF_U7C-Iygj)F7Wn*O86oPIq?^b+ij%ZyjM`W&31=n7S zbb%rxqIObMvJA8W$Wo?K`hY2ODj8SFd~3hWw}@DkDwCZWYpNrDswqJds<*U3Xk@z6 zV9mP}ui63wUaO3yU&Os<02H9EI&#QFNM>nX2{IWHN0rp=^>dx2*hRXGr`j;mRR4MO z$}P%PQe;@=V&a(xmSNhNhlyt)*G7vl`CLv)JH|hm@E0o|wX{0IxeHxBx$?=QGV=Lb zL3)UgY8=_Wu_IjHaJOy;dQnH8xLme1SgmbC_QPGvl`F5o&I8_fyWf!pl%tQ*I+@@V zqZMsXcpv=7@^LGj*7c0C^lrZlAT_$A<;|dyd>Tzn_%$BycQkG^`f8AuXC|r9rx+Rf zdE;=utsyE&X??5~r!(i(Q&OcJpUS25c511#B}mJ++3}+huT-^Vr{k3`-ix~DgLE!# zWe%wsGDv&d?YPp26rE-z$zm(<;!y^jDzA{VReY*n%t$NXPqZ5?H+9tL8Es6Xjy>TF!Ugxg09|tzt)%sdj+SFvVO6yw?pWt!WBhkU>Wf3*+ zCjWl;tU?P^pZYzjoh#^R_5aYcQ-&{Uv&xq4^`W7+$Ta3sG;}`vXq~zN4ZRUgrHdLv z>1axPN}(NLt1S1!r={9s?~2`M|EAwSY{Fpt*o)`nI#Y6;)Mdv1dcMB&|7b#R_F%Gp zanimwZ zI>}gns633Lepxnnb_av1KT3M>yR4*kb4`6-b$v}JufAqqO+BBzv7J`&_IW(!R|N0d z-(k+MZsL>^GwM9=41S%tFe;3TYxrNroIU=6d7wk~DVDZ?%gZj{;j>UW4aAZq2RM+oE0%k;J_sg0Xm%WY!rIR||ER`n(kB#v~J$^hU zL)Q9-!6V=~@J;Y-P)?&ZfZIU@kVXHg*k-;G8~Am4aY-KB{D;Hh9#9t-0 z*n=siz5TlRY^6q#dMWka3Vm5*FQ97+{R+2~ca`Nt7nUvk*4H~>I`zxY^HS<(x$d@` z-NZIh*8^45spFsbn~~nN^c_|caw1#VGY7-rZ+J}f5Vzdh6lmE)IMUcN9S7x&gzPK& Ne*r99vTva>{ujh#@p=FN literal 0 HcmV?d00001 diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls index b9ac3702aafc138804d43d09ff9b0f1d986323ad..f792d02ef355458bd06c866ebfdbe225c74686b1 100644 GIT binary patch delta 928 zcmZWnUr1AN6#nj?O}E`UZ48~1%)ns898GO*C01e)QCcrS5!9Lz4Vk9>aRhEJQua{V zuZNKAUhT1mRkxn zCX0?S02{?(F>R>glAzu&L!R20KDGV6JZQ`It;8nT75SDpvuga3-${<_wnwqa{AWR8 z@odKnhhG##*5qpZ@9kxGU5-+gqbf;+$aKZ)tj3f;gLwE&@v=3SN+gb)N(BWi)N7&P z5*k-_5?fdJIO=f+1pyH(h?XEP^THQwDU2&V)~RwkI$7x2YGF*R44$#jLJ8$nuD7nX zlvP>CO-!THeSEjC{Tj`L6NkqV1H)G@52Z#YP>Xb)>Cw}+w-RvC_#JI*5^fs}XOudY zOYU!O-_y|=4o4#4wpd%NHPk}D7p1Kq|G%^xTvzp$9YFeiyTtw0c3?&5n z$N+Gz&X^qTbO)%xeCFtzn*iz`0RDMkF$X+(4fMSSYzSvpgT0xRGkiOpR5x$TE%V&JHT9C2QOcETe9ej%-SVQByj(DkMlX4Zn``Q(7duj< z0(6NUytLn;J7gV&kc;n5=K&2GoBkeP4-3tnpG$!612FX!__P8vts2XP)<&kw{`nvB EUp7|O*8l(j delta 512 zcmZXQPbfrD6vn^%-W|M|_g<4GhMG{rLP!>7Lc@ZcWF=Na79xK_M#7j9SqQfzNkiFs za;0Qe7HBL@$)AOil5E&0%D8uAO75-G@7#0F_nmI&MGZZvdsNZJ0DL79i6A$W3&QSH z?{WuSp?$Wxg~^*R8=`Z{(Ifw$r>cf<-flQ{O;ol#vJ9ENC;WY>SGBt=ar8cfoZULd+7y0jBBW(gsvL{v!$%Caon z;ZI>oce5Hpt`iX}1pclNG=7cOQxr{7%#eC7M(K|#D>FqWuQ3~o-PVZkgdGjRuI|B+ zo`L@1SvawF&LaL6+o1}y^H0AgpE!6PTk+DC51D?Hn8^c!*ui{AhM