moparisthebest
/
poi
1
0
Fork 0
Code Issues Pull Requests Releases 1 Wiki Activity

More on bug #54682 - check for the end offset overflowing too 

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1487558 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Nick Burch 2013-05-29 17:31:50 +00:00
parent c702bc5ce5
commit 7c246cb5f0
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/scratchpad/src/org/apache/poi/hwpf/model/UnhandledDataStructure.java
View File

@ -34,10 +34,12 @@ public final class UnhandledDataStructure
public UnhandledDataStructure(byte[] buf, int offset, int length) public UnhandledDataStructure(byte[] buf, int offset, int length)
{ {
// Sanity check the size they've asked for // Sanity check the size they've asked for
if (offset + length > buf.length) int offsetEnd = offset + length;
if (offsetEnd > buf.length || offsetEnd < 0)
{ {
throw new IndexOutOfBoundsException("Buffer Length is " + buf.length + " " + throw new IndexOutOfBoundsException("Buffer Length is " + buf.length + " " +
"but code is tried to read " + length + " from offset " + offset); "but code is tried to read " + length + " " +
"from offset " + offset + " to " + offsetEnd);
} }
if (offset < 0 || length < 0) if (offset < 0 || length < 0)
{ {
@ -46,7 +48,7 @@ public final class UnhandledDataStructure
} }
// Save that requested portion of the data // Save that requested portion of the data
_buf = Arrays.copyOfRange(buf, offset, offset + length); _buf = Arrays.copyOfRange(buf, offset, offsetEnd);
} }
byte[] getBuf() byte[] getBuf()