61295 -- prevent potential oom in HPSF triggered by fuzzed file

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1802879 13f79535-47bb-0310-9956-ffa450edef68
apache · Jul 25, 2017 · df39101 · df39101
1 parent 67719a8
commit df39101
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/src/java/org/apache/poi/hpsf/Vector.java b/src/java/org/apache/poi/hpsf/Vector.java
@@ -16,6 +16,9 @@ Licensed to the Apache Software Foundation (ASF) under one or more
 ==================================================================== */
 package org.apache.poi.hpsf;
 
+import java.util.ArrayList;
+import java.util.List;
+
 import org.apache.poi.util.Internal;
 import org.apache.poi.util.LittleEndianByteArrayInputStream;
 
@@ -40,8 +43,11 @@ void read( LittleEndianByteArrayInputStream lei ) {
         }
         final int length = (int) longLength;
 
-        _values = new TypedPropertyValue[length];
-
+        //BUG-61295 -- avoid OOM on corrupt file.  Build list instead
+        //of allocating array of length "length".
+        //If the length is corrupted and crazily big but < Integer.MAX_VALUE,
+        //this will trigger a RuntimeException "Buffer overrun" in lei.checkPosition
+        List<TypedPropertyValue> values = new ArrayList<TypedPropertyValue>();
         int paddedType = (_type == Variant.VT_VARIANT) ? 0 : _type;
         for ( int i = 0; i < length; i++ ) {
             TypedPropertyValue value = new TypedPropertyValue(paddedType, null);
@@ -50,8 +56,9 @@ void read( LittleEndianByteArrayInputStream lei ) {
             } else {
                 value.readValue(lei);
             }
-            _values[i] = value;
+            values.add(value);
         }
+        _values = values.toArray(new TypedPropertyValue[values.size()]);
     }
 
     TypedPropertyValue[] getValues(){