Sanity check the length, logging and truncating if too long, to avoid a StringIndexOutOfBoundsException (bug #54925)

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1496520 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Nick Burch 2013-06-25 15:49:45 +00:00
parent 456f6171d9
commit 84a00d8d4b

View File

@ -273,6 +273,7 @@ public final class StyleTextPropAtom extends RecordAtom
while(pos < rawContents.length && textHandled < prsize) { while(pos < rawContents.length && textHandled < prsize) {
// First up, fetch the number of characters this applies to // First up, fetch the number of characters this applies to
int textLen = LittleEndian.getInt(rawContents,pos); int textLen = LittleEndian.getInt(rawContents,pos);
textLen = checkTextLength(textLen, textHandled, size);
textHandled += textLen; textHandled += textLen;
pos += 4; pos += 4;
@ -308,6 +309,7 @@ public final class StyleTextPropAtom extends RecordAtom
while(pos < rawContents.length && textHandled < chsize) { while(pos < rawContents.length && textHandled < chsize) {
// First up, fetch the number of characters this applies to // First up, fetch the number of characters this applies to
int textLen = LittleEndian.getInt(rawContents,pos); int textLen = LittleEndian.getInt(rawContents,pos);
textLen = checkTextLength(textLen, textHandled, size);
textHandled += textLen; textHandled += textLen;
pos += 4; pos += 4;
@ -346,6 +348,15 @@ public final class StyleTextPropAtom extends RecordAtom
initialised = true; initialised = true;
} }
private int checkTextLength(int readLength, int handledSoFar, int overallSize) {
if (readLength + handledSoFar > overallSize + 1) {
logger.log(POILogger.WARN, "Style length of " + readLength + " at " + handledSoFar +
" larger than stated size of " + overallSize + ", truncating");
return overallSize + 1 - handledSoFar;
}
return readLength;
}
/** /**
* Updates the cache of the raw contents. Serialised the styles out. * Updates the cache of the raw contents. Serialised the styles out.