poi-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From n...@apache.org
Subject svn commit: r495578 - /jakarta/poi/trunk/src/scratchpad/src/org/apache/poi/hslf/HSLFSlideShow.java
Date Fri, 12 Jan 2007 14:19:36 GMT
Author: nick
Date: Fri Jan 12 06:19:35 2007
New Revision: 495578

URL: http://svn.apache.org/viewvc?view=rev&rev=495578
Log:
Throw an exception if a picture claims to have a negative amount of data. Should avoid problem
in bug #41357

Modified:
    jakarta/poi/trunk/src/scratchpad/src/org/apache/poi/hslf/HSLFSlideShow.java

Modified: jakarta/poi/trunk/src/scratchpad/src/org/apache/poi/hslf/HSLFSlideShow.java
URL: http://svn.apache.org/viewvc/jakarta/poi/trunk/src/scratchpad/src/org/apache/poi/hslf/HSLFSlideShow.java?view=diff&rev=495578&r1=495577&r2=495578
==============================================================================
--- jakarta/poi/trunk/src/scratchpad/src/org/apache/poi/hslf/HSLFSlideShow.java (original)
+++ jakarta/poi/trunk/src/scratchpad/src/org/apache/poi/hslf/HSLFSlideShow.java Fri Jan 12
06:19:35 2007
@@ -35,6 +35,7 @@
 import org.apache.poi.hpsf.SummaryInformation;
 import org.apache.poi.hpsf.DocumentSummaryInformation;
 
+import org.apache.poi.hslf.exceptions.CorruptPowerPointFileException;
 import org.apache.poi.hslf.exceptions.EncryptedPowerPointFileException;
 import org.apache.poi.hslf.record.*;
 import org.apache.poi.hslf.usermodel.PictureData;
@@ -271,6 +272,13 @@
             pos += LittleEndian.INT_SIZE;
             byte[] imgdata = new byte[imgsize];
             System.arraycopy(pictstream, pos, imgdata, 0, imgdata.length);
+
+			// The image size must be 0 or greater
+			// (0 is allowed, but odd, since we do wind on by the header each
+			//  time, so we won't get stuck)
+			if(imgsize < 0) {
+				throw new CorruptPowerPointFileException("The file contains a picture, at position "
+ p.size() + ", which has a negatively sized data length, so we can't trust any of the picture
data");
+			}
 
 			// If they type (including the bonus 0xF018) is 0, skip it
 			if(type == 0) {



---------------------------------------------------------------------
To unsubscribe, e-mail: poi-dev-unsubscribe@jakarta.apache.org
Mailing List:    http://jakarta.apache.org/site/mail2.html#poi
The Apache Jakarta POI Project: http://jakarta.apache.org/poi/


Mime
View raw message