Sanity check the length, logging and truncating if too long, to avoid a StringIndexOutOfBoundsException (bug #54925)
git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1496520 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
456f6171d9
commit
84a00d8d4b
@ -273,6 +273,7 @@ public final class StyleTextPropAtom extends RecordAtom
|
||||
while(pos < rawContents.length && textHandled < prsize) {
|
||||
// First up, fetch the number of characters this applies to
|
||||
int textLen = LittleEndian.getInt(rawContents,pos);
|
||||
textLen = checkTextLength(textLen, textHandled, size);
|
||||
textHandled += textLen;
|
||||
pos += 4;
|
||||
|
||||
@ -308,6 +309,7 @@ public final class StyleTextPropAtom extends RecordAtom
|
||||
while(pos < rawContents.length && textHandled < chsize) {
|
||||
// First up, fetch the number of characters this applies to
|
||||
int textLen = LittleEndian.getInt(rawContents,pos);
|
||||
textLen = checkTextLength(textLen, textHandled, size);
|
||||
textHandled += textLen;
|
||||
pos += 4;
|
||||
|
||||
@ -346,6 +348,15 @@ public final class StyleTextPropAtom extends RecordAtom
|
||||
initialised = true;
|
||||
}
|
||||
|
||||
private int checkTextLength(int readLength, int handledSoFar, int overallSize) {
|
||||
if (readLength + handledSoFar > overallSize + 1) {
|
||||
logger.log(POILogger.WARN, "Style length of " + readLength + " at " + handledSoFar +
|
||||
" larger than stated size of " + overallSize + ", truncating");
|
||||
return overallSize + 1 - handledSoFar;
|
||||
}
|
||||
return readLength;
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Updates the cache of the raw contents. Serialised the styles out.
|
||||
|
Loading…
Reference in New Issue
Block a user