Bugzilla 48085 - improved error checking in BlockAllocationTableReader to trap unreasonable field values

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@832505 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Josh Micich 2009-11-03 18:48:20 +00:00
parent ef37deea55
commit f286580c44
4 changed files with 139 additions and 91 deletions

View File

@ -34,6 +34,7 @@
<changes> <changes>
<release version="3.6-beta1" date="2009-??-??"> <release version="3.6-beta1" date="2009-??-??">
<action dev="POI-DEVELOPERS" type="fix">48085 - improved error checking in BlockAllocationTableReader to trap unreasonable field values</action>
<action dev="POI-DEVELOPERS" type="fix">47924 - fixed logic for matching cells and comments in HSSFCell.getCellComment()</action> <action dev="POI-DEVELOPERS" type="fix">47924 - fixed logic for matching cells and comments in HSSFCell.getCellComment()</action>
<action dev="POI-DEVELOPERS" type="add">47942 - added implementation of protection features to XLSX and DOCX files</action> <action dev="POI-DEVELOPERS" type="add">47942 - added implementation of protection features to XLSX and DOCX files</action>
<action dev="POI-DEVELOPERS" type="fix">48070 - preserve leading and trailing white spaces in XSSFRichTextString</action> <action dev="POI-DEVELOPERS" type="fix">48070 - preserve leading and trailing white spaces in XSSFRichTextString</action>

View File

@ -42,7 +42,20 @@ import org.apache.poi.util.LittleEndianConsts;
* @author Marc Johnson (mjohnson at apache dot org) * @author Marc Johnson (mjohnson at apache dot org)
*/ */
public final class BlockAllocationTableReader { public final class BlockAllocationTableReader {
private IntList _entries;
/**
* Maximum number size (in blocks) of the allocation table as supported by
* POI.<br/>
*
* This constant has been chosen to help POI identify corrupted data in the
* header block (rather than crash immediately with {@link OutOfMemoryError}
* ). It's not clear if the compound document format actually specifies any
* upper limits. For files with 512 byte blocks, having an allocation table
* of 65,335 blocks would correspond to a total file size of 4GB. Needless
* to say, POI probably cannot handle files anywhere near that size.
*/
private static final int MAX_BLOCK_COUNT = 65535;
private final IntList _entries;
/** /**
* create a BlockAllocationTableReader for an existing filesystem. Side * create a BlockAllocationTableReader for an existing filesystem. Side
@ -62,22 +75,20 @@ public final class BlockAllocationTableReader {
* @exception IOException if, in trying to create the table, we * @exception IOException if, in trying to create the table, we
* encounter logic errors * encounter logic errors
*/ */
public BlockAllocationTableReader(int block_count, int [] block_array,
public BlockAllocationTableReader(final int block_count, int xbat_count, int xbat_index, BlockList raw_block_list) throws IOException {
final int [] block_array,
final int xbat_count,
final int xbat_index,
final BlockList raw_block_list)
throws IOException
{
this(); this();
if (block_count <= 0) if (block_count <= 0) {
{
throw new IOException( throw new IOException(
"Illegal block count; minimum count is 1, got " + block_count "Illegal block count; minimum count is 1, got " + block_count
+ " instead"); + " instead");
} }
if (block_count > MAX_BLOCK_COUNT) {
throw new IOException("Block count " + block_count
+ " is too high. POI maximum is " + MAX_BLOCK_COUNT + ".");
}
// acquire raw data blocks containing the BAT block data // acquire raw data blocks containing the BAT block data
RawDataBlock blocks[] = new RawDataBlock[ block_count ]; RawDataBlock blocks[] = new RawDataBlock[ block_count ];
int limit = Math.min(block_count, block_array.length); int limit = Math.min(block_count, block_array.length);
@ -141,17 +152,13 @@ public final class BlockAllocationTableReader {
* *
* @exception IOException * @exception IOException
*/ */
BlockAllocationTableReader(ListManagedBlock[] blocks, BlockList raw_block_list)
BlockAllocationTableReader(final ListManagedBlock [] blocks, throws IOException {
final BlockList raw_block_list)
throws IOException
{
this(); this();
setEntries(blocks, raw_block_list); setEntries(blocks, raw_block_list);
} }
BlockAllocationTableReader() BlockAllocationTableReader() {
{
_entries = new IntList(); _entries = new IntList();
} }
@ -167,11 +174,8 @@ public final class BlockAllocationTableReader {
* *
* @exception IOException if there is a problem acquiring the blocks * @exception IOException if there is a problem acquiring the blocks
*/ */
ListManagedBlock [] fetchBlocks(final int startBlock, ListManagedBlock[] fetchBlocks(int startBlock, int headerPropertiesStartBlock,
final int headerPropertiesStartBlock, BlockList blockList) throws IOException {
final BlockList blockList)
throws IOException
{
List<ListManagedBlock> blocks = new ArrayList<ListManagedBlock>(); List<ListManagedBlock> blocks = new ArrayList<ListManagedBlock>();
int currentBlock = startBlock; int currentBlock = startBlock;
boolean firstPass = true; boolean firstPass = true;
@ -182,28 +186,28 @@ public final class BlockAllocationTableReader {
// Sometimes we have data, header, end // Sometimes we have data, header, end
// For those cases, stop at the header, not the end // For those cases, stop at the header, not the end
while (currentBlock != POIFSConstants.END_OF_CHAIN) { while (currentBlock != POIFSConstants.END_OF_CHAIN) {
try { try {
// Grab the data at the current block offset // Grab the data at the current block offset
dataBlock = blockList.remove(currentBlock); dataBlock = blockList.remove(currentBlock);
blocks.add(dataBlock); blocks.add(dataBlock);
// Now figure out which block we go to next // Now figure out which block we go to next
currentBlock = _entries.get(currentBlock); currentBlock = _entries.get(currentBlock);
firstPass = false; firstPass = false;
} catch(IOException e) { } catch(IOException e) {
if(currentBlock == headerPropertiesStartBlock) { if(currentBlock == headerPropertiesStartBlock) {
// Special case where things are in the wrong order // Special case where things are in the wrong order
System.err.println("Warning, header block comes after data blocks in POIFS block listing"); System.err.println("Warning, header block comes after data blocks in POIFS block listing");
currentBlock = POIFSConstants.END_OF_CHAIN; currentBlock = POIFSConstants.END_OF_CHAIN;
} else if(currentBlock == 0 && firstPass) { } else if(currentBlock == 0 && firstPass) {
// Special case where the termination isn't done right // Special case where the termination isn't done right
// on an empty set // on an empty set
System.err.println("Warning, incorrectly terminated empty data blocks in POIFS block listing (should end at -2, ended at 0)"); System.err.println("Warning, incorrectly terminated empty data blocks in POIFS block listing (should end at -2, ended at 0)");
currentBlock = POIFSConstants.END_OF_CHAIN; currentBlock = POIFSConstants.END_OF_CHAIN;
} else { } else {
// Ripple up // Ripple up
throw e; throw e;
} }
} }
} }
return blocks.toArray(new ListManagedBlock[blocks.size()]); return blocks.toArray(new ListManagedBlock[blocks.size()]);
@ -218,17 +222,14 @@ public final class BlockAllocationTableReader {
* *
* @return true if the specific block is used, else false * @return true if the specific block is used, else false
*/ */
boolean isUsed(final int index) boolean isUsed(int index) {
{
boolean rval = false;
try try {
{ return _entries.get(index) != -1;
rval = _entries.get(index) != -1;
} catch (IndexOutOfBoundsException e) { } catch (IndexOutOfBoundsException e) {
// ignored // ignored
return false;
} }
return rval;
} }
/** /**
@ -242,11 +243,8 @@ public final class BlockAllocationTableReader {
* *
* @exception IOException if the current block is unused * @exception IOException if the current block is unused
*/ */
int getNextBlockIndex(final int index) int getNextBlockIndex(int index) throws IOException {
throws IOException if (isUsed(index)) {
{
if (isUsed(index))
{
return _entries.get(index); return _entries.get(index);
} }
throw new IOException("index " + index + " is unused"); throw new IOException("index " + index + " is unused");
@ -259,10 +257,7 @@ public final class BlockAllocationTableReader {
* @param raw_blocks the list of blocks being managed. Unused * @param raw_blocks the list of blocks being managed. Unused
* blocks will be eliminated from the list * blocks will be eliminated from the list
*/ */
private void setEntries(final ListManagedBlock [] blocks, private void setEntries(ListManagedBlock[] blocks, BlockList raw_blocks) throws IOException {
final BlockList raw_blocks)
throws IOException
{
int limit = BATBlock.entriesPerBlock(); int limit = BATBlock.entriesPerBlock();
for (int block_index = 0; block_index < blocks.length; block_index++) for (int block_index = 0; block_index < blocks.length; block_index++)

View File

@ -47,25 +47,25 @@ public final class HeaderBlockReader {
* What big block size the file uses. Most files * What big block size the file uses. Most files
* use 512 bytes, but a few use 4096 * use 512 bytes, but a few use 4096
*/ */
private int bigBlockSize = POIFSConstants.BIG_BLOCK_SIZE; private final int bigBlockSize;
/** number of big block allocation table blocks (int) */ /** number of big block allocation table blocks (int) */
private int _bat_count; private final int _bat_count;
/** start of the property set block (int index of the property set /** start of the property set block (int index of the property set
* chain's first big block) * chain's first big block)
*/ */
private int _property_start; private final int _property_start;
/** start of the small block allocation table (int index of small /** start of the small block allocation table (int index of small
* block allocation table's first big block) * block allocation table's first big block)
*/ */
private int _sbat_start; private final int _sbat_start;
/** big block index for extension to the big block allocation table */ /** big block index for extension to the big block allocation table */
private int _xbat_start; private final int _xbat_start;
private int _xbat_count; private final int _xbat_count;
private byte[] _data; private final byte[] _data;
/** /**
* create a new HeaderBlockReader from an InputStream * create a new HeaderBlockReader from an InputStream
@ -82,32 +82,19 @@ public final class HeaderBlockReader {
byte[] blockStart = new byte[32]; byte[] blockStart = new byte[32];
int bsCount = IOUtils.readFully(stream, blockStart); int bsCount = IOUtils.readFully(stream, blockStart);
if(bsCount != 32) { if(bsCount != 32) {
alertShortRead(bsCount); throw alertShortRead(bsCount, 32);
}
// Figure out our block size
if(blockStart[30] == 12) {
bigBlockSize = POIFSConstants.LARGER_BIG_BLOCK_SIZE;
}
_data = new byte[ bigBlockSize ];
System.arraycopy(blockStart, 0, _data, 0, blockStart.length);
// Now we can read the rest of our header
int byte_count = IOUtils.readFully(stream, _data, blockStart.length, _data.length - blockStart.length);
if (byte_count+bsCount != bigBlockSize) {
alertShortRead(byte_count);
} }
// verify signature // verify signature
long signature = LittleEndian.getLong(_data, _signature_offset); long signature = LittleEndian.getLong(blockStart, _signature_offset);
if (signature != _signature) { if (signature != _signature) {
// Is it one of the usual suspects? // Is it one of the usual suspects?
byte[] OOXML_FILE_HEADER = POIFSConstants.OOXML_FILE_HEADER; byte[] OOXML_FILE_HEADER = POIFSConstants.OOXML_FILE_HEADER;
if(_data[0] == OOXML_FILE_HEADER[0] && if(blockStart[0] == OOXML_FILE_HEADER[0] &&
_data[1] == OOXML_FILE_HEADER[1] && blockStart[1] == OOXML_FILE_HEADER[1] &&
_data[2] == OOXML_FILE_HEADER[2] && blockStart[2] == OOXML_FILE_HEADER[2] &&
_data[3] == OOXML_FILE_HEADER[3]) { blockStart[3] == OOXML_FILE_HEADER[3]) {
throw new OfficeXmlFileException("The supplied data appears to be in the Office 2007+ XML. You are calling the part of POI that deals with OLE2 Office Documents. You need to call a different part of POI to process this data (eg XSSF instead of HSSF)"); throw new OfficeXmlFileException("The supplied data appears to be in the Office 2007+ XML. You are calling the part of POI that deals with OLE2 Office Documents. You need to call a different part of POI to process this data (eg XSSF instead of HSSF)");
} }
if ((signature & 0xFF8FFFFFFFFFFFFFL) == 0x0010000200040009L) { if ((signature & 0xFF8FFFFFFFFFFFFFL) == 0x0010000200040009L) {
@ -121,6 +108,27 @@ public final class HeaderBlockReader {
+ longToHex(signature) + ", expected " + longToHex(signature) + ", expected "
+ longToHex(_signature)); + longToHex(_signature));
} }
// Figure out our block size
switch (blockStart[30]) {
case 12:
bigBlockSize = POIFSConstants.LARGER_BIG_BLOCK_SIZE; break;
case 9:
bigBlockSize = POIFSConstants.BIG_BLOCK_SIZE; break;
default:
throw new IOException("Unsupported blocksize (2^"
+ blockStart[30] + "). Expected 2^9 or 2^12.");
}
_data = new byte[ bigBlockSize ];
System.arraycopy(blockStart, 0, _data, 0, blockStart.length);
// Now we can read the rest of our header
int byte_count = IOUtils.readFully(stream, _data, blockStart.length, _data.length - blockStart.length);
if (byte_count+bsCount != bigBlockSize) {
throw alertShortRead(byte_count, bigBlockSize);
}
_bat_count = getInt(_bat_count_offset, _data); _bat_count = getInt(_bat_count_offset, _data);
_property_start = getInt(_property_start_offset, _data); _property_start = getInt(_property_start_offset, _data);
_sbat_start = getInt(_sbat_start_offset, _data); _sbat_start = getInt(_sbat_start_offset, _data);
@ -136,7 +144,7 @@ public final class HeaderBlockReader {
return new String(HexDump.longToHex(value)); return new String(HexDump.longToHex(value));
} }
private void alertShortRead(int pRead) throws IOException { private static IOException alertShortRead(int pRead, int expectedReadSize) {
int read; int read;
if (pRead < 0) { if (pRead < 0) {
//Can't have -1 bytes read in the error message! //Can't have -1 bytes read in the error message!
@ -146,9 +154,9 @@ public final class HeaderBlockReader {
} }
String type = " byte" + (read == 1 ? (""): ("s")); String type = " byte" + (read == 1 ? (""): ("s"));
throw new IOException("Unable to read entire header; " return new IOException("Unable to read entire header; "
+ read + type + " read; expected " + read + type + " read; expected "
+ bigBlockSize + " bytes"); + expectedReadSize + " bytes");
} }
/** /**
@ -209,4 +217,3 @@ public final class HeaderBlockReader {
return bigBlockSize; return bigBlockSize;
} }
} }

View File

@ -20,10 +20,13 @@ package org.apache.poi.poifs.storage;
import java.io.ByteArrayInputStream; import java.io.ByteArrayInputStream;
import java.io.IOException; import java.io.IOException;
import java.io.InputStream; import java.io.InputStream;
import java.util.Arrays;
import junit.framework.AssertionFailedError;
import junit.framework.TestCase; import junit.framework.TestCase;
import org.apache.poi.poifs.common.POIFSConstants; import org.apache.poi.poifs.common.POIFSConstants;
import org.apache.poi.util.HexRead;
import org.apache.poi.util.LittleEndian; import org.apache.poi.util.LittleEndian;
import org.apache.poi.util.LittleEndianConsts; import org.apache.poi.util.LittleEndianConsts;
@ -225,6 +228,7 @@ public final class TestBlockAllocationTableReader extends TestCase {
small_blocks.remove(j); small_blocks.remove(j);
fail("removing block " + j + " should have failed"); fail("removing block " + j + " should have failed");
} catch (IOException ignored) { } catch (IOException ignored) {
// expected during successful test
} }
} }
} }
@ -373,4 +377,45 @@ public final class TestBlockAllocationTableReader extends TestCase {
} }
} }
} }
/**
* Bugzilla 48085 describes an error where a corrupted Excel file causes POI to throw an
* {@link OutOfMemoryError}.
*/
public void testBadSectorAllocationTableSize_bug48085() {
int BLOCK_SIZE = 512;
// 512 bytes take from the start of bugzilla attachment 24444
byte[] initData = HexRead.readFromString(
"D0 CF 11 E0 A1 B1 1A E1 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3E 20 03 20 FE FF 09 20" +
"06 20 20 20 20 20 20 20 20 20 20 20 01 20 20 20 01 20 20 20 20 20 20 20 20 10 20 20 02 20 20 20" +
"02 20 20 20 FE FF FF FF 20 20 20 20 20 20 20 20 "
);
// the rest of the block is 'FF'
byte[] data = new byte[BLOCK_SIZE];
Arrays.fill(data, (byte)0xFF);
System.arraycopy(initData, 0, data, 0, initData.length);
// similar code to POIFSFileSystem.<init>:
InputStream stream = new ByteArrayInputStream(data);
HeaderBlockReader hb;
RawDataBlockList dataBlocks;
try {
hb = new HeaderBlockReader(stream);
dataBlocks = new RawDataBlockList(stream, BLOCK_SIZE);
} catch (IOException e) {
throw new RuntimeException(e);
}
try {
new BlockAllocationTableReader(hb.getBATCount(), hb.getBATArray(), hb.getXBATCount(),
hb.getXBATIndex(), dataBlocks);
} catch (IOException e) {
// expected during successful test
assertEquals("Block count 538976257 is too high. POI maximum is 65535.", e.getMessage());
} catch (OutOfMemoryError e) {
if (e.getStackTrace()[1].getMethodName().equals("testBadSectorAllocationTableSize")) {
throw new AssertionFailedError("Identified bug 48085");
}
}
}
} }