Bug 66425: Avoid Exceptions found via oss-fuzz

We try to avoid throwing NullPointerExceptions or endless allocations, but it was possible to trigger one here with a specially crafted input-file Should fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=62697 git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1912793 13f79535-47bb-0310-9956-ffa450edef68
apache · Oct 7, 2023 · 6fae5bb · 6fae5bb
1 parent c331c5d
commit 6fae5bb
Show file tree

Hide file tree

Showing 6 changed files with 9 additions and 3 deletions.
diff --git a/poi/src/main/java/org/apache/poi/hssf/record/SSTDeserializer.java b/poi/src/main/java/org/apache/poi/hssf/record/SSTDeserializer.java
@@ -48,7 +48,9 @@ public void manufactureStrings(int stringCount, RecordInputStream in) {
             UnicodeString str;
             if (in.available() == 0 && (!in.hasNextRecord() || in.getNextSid() != ContinueRecord.sid)) {
                 LOG.atError().log("Ran out of data before creating all the strings! String at index {}", box(i));
-                str = new UnicodeString("");
+
+                // not much sense in trying to continue reading in this case, file seems to be broken
+                return;
             } else {
                 str = new UnicodeString(in);
             }

diff --git a/poi/src/main/java/org/apache/poi/poifs/filesystem/DocumentInputStream.java b/poi/src/main/java/org/apache/poi/poifs/filesystem/DocumentInputStream.java
@@ -169,7 +169,8 @@ public int read(byte[] b, int off, int len) throws IOException {
             throw new IllegalArgumentException("buffer must not be null");
         }
         if (off < 0 || len < 0 || b.length < off + len) {
-            throw new IndexOutOfBoundsException("can't read past buffer boundaries");
+            throw new IndexOutOfBoundsException("can't read past buffer boundaries with off: " + off +
+                    ", len: " + len + ", b.length: " + b.length);
         }
         if (len == 0) {
             return 0;

diff --git a/poi/src/test/java/org/apache/poi/hssf/dev/BaseTestIteratingXLS.java b/poi/src/test/java/org/apache/poi/hssf/dev/BaseTestIteratingXLS.java
@@ -88,6 +88,7 @@ protected Map<String,Class<? extends Throwable>> getExcludes() {
         excludes.put("64130.xls", OldExcelFormatException.class);
         // fuzzed binaries
         excludes.put("clusterfuzz-testcase-minimized-POIHSSFFuzzer-6322470200934400.xls", RuntimeException.class);
+        excludes.put("clusterfuzz-testcase-minimized-POIHSSFFuzzer-4819588401201152.xls", RuntimeException.class);
         return excludes;
     }
 

diff --git a/poi/src/test/java/org/apache/poi/hssf/record/TestSSTDeserializer.java b/poi/src/test/java/org/apache/poi/hssf/record/TestSSTDeserializer.java
@@ -18,6 +18,7 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 package org.apache.poi.hssf.record;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
 
 import java.io.IOException;
 import java.io.InputStream;
@@ -137,6 +138,7 @@ void test65543() throws IOException {
         deserializer.manufactureStrings(2, in);
 
         assertEquals("At a dinner party or", strings.get(0) + "");
-        assertEquals("", strings.get(1) + "");
+        assertThrows(IndexOutOfBoundsException.class,
+                () -> strings.get(1));
     }
 }
diff --git a/test-data/spreadsheet/clusterfuzz-testcase-minimized-POIHSSFFuzzer-4819588401201152.xls b/test-data/spreadsheet/clusterfuzz-testcase-minimized-POIHSSFFuzzer-4819588401201152.xls
diff --git a/test-data/spreadsheet/stress.xls b/test-data/spreadsheet/stress.xls