From 7f9f8e9afa8160ef401ec8b3416d36428e928e2f Mon Sep 17 00:00:00 2001
From: Tim Allison <tallison@apache.org>
Date: Fri, 14 Oct 2016 14:57:29 +0000
Subject: [PATCH] add length sanity check for length of embedded OLE10Native
 (BUG 60256)

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1764927 13f79535-47bb-0310-9956-ffa450edef68
---
 .../org/apache/poi/poifs/filesystem/Ole10Native.java   |  5 ++++-
 .../apache/poi/poifs/filesystem/TestOle10Native.java   | 10 ++++++++--
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/src/java/org/apache/poi/poifs/filesystem/Ole10Native.java b/src/java/org/apache/poi/poifs/filesystem/Ole10Native.java
index aee674759..d11841dd5 100644
--- a/src/java/org/apache/poi/poifs/filesystem/Ole10Native.java
+++ b/src/java/org/apache/poi/poifs/filesystem/Ole10Native.java
@@ -192,7 +192,10 @@ public class Ole10Native {
             dataSize = totalSize;
             break;
         }
-        
+
+        if ((long)dataSize + (long)ofs > (long)data.length) { //cast to avoid overflow
+            throw new Ole10NativeException("Invalid Ole10Native: declared data length > available data");
+        }
         dataBuffer = new byte[dataSize];
         System.arraycopy(data, ofs, dataBuffer, 0, dataSize);
         ofs += dataSize;
diff --git a/src/testcases/org/apache/poi/poifs/filesystem/TestOle10Native.java b/src/testcases/org/apache/poi/poifs/filesystem/TestOle10Native.java
index a8826ffad..0abdf8489 100644
--- a/src/testcases/org/apache/poi/poifs/filesystem/TestOle10Native.java
+++ b/src/testcases/org/apache/poi/poifs/filesystem/TestOle10Native.java
@@ -20,6 +20,8 @@ package org.apache.poi.poifs.filesystem;
 import static org.hamcrest.core.IsEqual.equalTo;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertThat;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
 
 import java.io.ByteArrayOutputStream;
 import java.io.File;
@@ -110,10 +112,14 @@ public class TestOle10Native {
     }
 
     @Test
-    @Ignore("BUG 60256")
     public void testOleNativeOOM() throws IOException, Ole10NativeException {
         POIFSFileSystem fs = new POIFSFileSystem(dataSamples.openResourceAsStream("60256.bin"));
-        Ole10Native ole = Ole10Native.createFromEmbeddedOleObject(fs);
+        try {
+            Ole10Native.createFromEmbeddedOleObject(fs);
+            fail("Should have thrown exception because OLENative lacks a length parameter");
+        } catch (Ole10NativeException e) {
+            assertTrue(e.getMessage().indexOf("declared data length") > -1);
+        }
     }
 
 }