[Bug 61550] New: POI 3.17 buffer overrun when reading corrupt document summary information property set

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 61550] New: POI 3.17 buffer overrun when reading corrupt document summary information property set

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61550

            Bug ID: 61550
           Summary: POI 3.17 buffer overrun when reading corrupt document
                    summary information property set
           Product: POI
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: HPSF
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

I have an MPP file which appears to have a corrupt document summary information
property set. Attempting to read it produces the stack trace below. The issue
is that the size of the CodePageString is larger than the data remaining in the
input stream.

Microsoft Project will open the file successfully, it appears to ignore the
corrupt properties.

Unfortunately I can't share the example data with you as it belongs to a
customer.

Caused by: java.lang.RuntimeException: Buffer overrun
        at
org.apache.poi.util.LittleEndianByteArrayInputStream.checkPosition(LittleEndianByteArrayInputStream.java:40)
        at
org.apache.poi.util.LittleEndianByteArrayInputStream.readFully(LittleEndianByteArrayInputStream.java:119)
        at org.apache.poi.hpsf.CodePageString.read(CodePageString.java:57)
        at
org.apache.poi.hpsf.TypedPropertyValue.readValue(TypedPropertyValue.java:135)
        at org.apache.poi.hpsf.VariantSupport.read(VariantSupport.java:174)
        at org.apache.poi.hpsf.Property.<init>(Property.java:179)
        at org.apache.poi.hpsf.MutableProperty.<init>(MutableProperty.java:53)
        at org.apache.poi.hpsf.Section.<init>(Section.java:237)
        at org.apache.poi.hpsf.MutableSection.<init>(MutableSection.java:41)
        at org.apache.poi.hpsf.PropertySet.init(PropertySet.java:494)
        at org.apache.poi.hpsf.PropertySet.<init>(PropertySet.java:196)

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61550] POI 3.17 buffer overrun when reading corrupt document summary information property set

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61550

Dominik Stadler <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WONTFIX
             Status|NEW                         |RESOLVED

--- Comment #1 from Dominik Stadler <[hidden email]> ---
There have been some related changes via bug 61349, although I don't expect any
to have changed this fundamentally.

However, sadly, without a reproducing document we cannot do all that much here,
so I added some more output to print out more if it happens again with a
document that we can take a look at, see r1819772.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61550] POI 3.17 buffer overrun when reading corrupt document summary information property set

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61550

--- Comment #2 from Jon Iles <[hidden email]> ---
Thanks for looking Dominik. Here is the output when running the current 4.0.0
version from the GitHub mirror of POI against my problem file:

Caused by: java.lang.RuntimeException: Buffer overrun, having 4492 bytes in the
stream and position is at 4431, but trying to increment position by 92
        at
org.apache.poi.util.LittleEndianByteArrayInputStream.checkPosition(LittleEndianByteArrayInputStream.java:40)
        at
org.apache.poi.util.LittleEndianByteArrayInputStream.readFully(LittleEndianByteArrayInputStream.java:120)
        at org.apache.poi.hpsf.CodePageString.read(CodePageString.java:61)
        at
org.apache.poi.hpsf.TypedPropertyValue.readValue(TypedPropertyValue.java:135)
        at org.apache.poi.hpsf.VariantSupport.read(VariantSupport.java:176)
        at org.apache.poi.hpsf.Property.<init>(Property.java:179)
        at org.apache.poi.hpsf.Section.<init>(Section.java:240)
        at org.apache.poi.hpsf.PropertySet.init(PropertySet.java:492)
        at org.apache.poi.hpsf.PropertySet.<init>(PropertySet.java:195)
        at
net.sf.mpxj.mpp.ProjectPropertiesReader.process(ProjectPropertiesReader.java:118)
        ... 74 more

I'd be very happy to run instrumented code against this file to help you look
at this in more detail.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61550] POI 3.17 buffer overrun when reading corrupt document summary information property set

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61550

--- Comment #3 from Dominik Stadler <[hidden email]> ---
I would like to try to handle this more gracefully, but without a document
which triggers the problem, it is hard to build and keep in place in the long
run, any chance of producing such a document that you can share?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]