From c702bc5ce58f9f11f408c7568cc96382c76641ef Mon Sep 17 00:00:00 2001 From: Nick Burch Date: Wed, 29 May 2013 17:25:40 +0000 Subject: [PATCH] Fix bug #54682 - UnhandledDataStructure should sanity check before allocating, not after git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1487555 13f79535-47bb-0310-9956-ffa450edef68 --- .../hwpf/model/UnhandledDataStructure.java | 23 +++++++++++++++---- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/src/scratchpad/src/org/apache/poi/hwpf/model/UnhandledDataStructure.java b/src/scratchpad/src/org/apache/poi/hwpf/model/UnhandledDataStructure.java index 441ec0310..6cf53f746 100644 --- a/src/scratchpad/src/org/apache/poi/hwpf/model/UnhandledDataStructure.java +++ b/src/scratchpad/src/org/apache/poi/hwpf/model/UnhandledDataStructure.java @@ -17,8 +17,15 @@ package org.apache.poi.hwpf.model; +import java.util.Arrays; + import org.apache.poi.util.Internal; +/** + * A data structure used to hold some data we don't + * understand / can't handle, so we have it available + * for when we come to write back out again + */ @Internal public final class UnhandledDataStructure { @@ -26,14 +33,20 @@ public final class UnhandledDataStructure public UnhandledDataStructure(byte[] buf, int offset, int length) { -// System.out.println("Yes, using my code"); - _buf = new byte[length]; + // Sanity check the size they've asked for if (offset + length > buf.length) { - throw new IndexOutOfBoundsException("buffer length is " + buf.length + - "but code is trying to read " + length + " from offset " + offset); + throw new IndexOutOfBoundsException("Buffer Length is " + buf.length + " " + + "but code is tried to read " + length + " from offset " + offset); } - System.arraycopy(buf, offset, _buf, 0, length); + if (offset < 0 || length < 0) + { + throw new IndexOutOfBoundsException("Offset and Length must both be >= 0, negative " + + "indicies are not permitted - code is tried to read " + length + " from offset " + offset); + } + + // Save that requested portion of the data + _buf = Arrays.copyOfRange(buf, offset, offset + length); } byte[] getBuf()