Index: src/java/org/apache/poi/ddf/UnknownEscherRecord.java
===================================================================
--- src/java/org/apache/poi/ddf/UnknownEscherRecord.java	(revision 882355)
+++ src/java/org/apache/poi/ddf/UnknownEscherRecord.java	(working copy)
@@ -28,6 +28,7 @@
  * we do not explicitly support.
  *
  * @author Glen Stampoultzis (glens at apache.org)
+ * @author Zhang Zhang (zhangzzh at gmail.com)
  */
 public final class UnknownEscherRecord extends EscherRecord {
     private static final byte[] NO_BYTES = new byte[0];
@@ -42,6 +43,16 @@
 
     public int fillFields(byte[] data, int offset, EscherRecordFactory recordFactory) {
         int bytesRemaining = readHeader( data, offset );
+		/*
+		 * Modified by Zhang Zhang
+		 * Have a check between avaliable bytes and bytesRemaining, 
+		 * take the avaliable length if the bytesRemaining out of range.
+		 * July 09, 2010
+		 */
+		int avaliable = data.length - (offset + 8);
+		if (bytesRemaining > avaliable) {
+			bytesRemaining = avaliable;
+		}
         if (isContainerRecord()) {
             int bytesWritten = 0;
             thedata = new byte[0];
@@ -58,6 +69,7 @@
             }
             return bytesWritten;
         }
+
         thedata = new byte[bytesRemaining];
         System.arraycopy( data, offset + 8, thedata, 0, bytesRemaining );
         return bytesRemaining + 8;
Index: src/testcases/org/apache/poi/ddf/TestUnknownEscherRecord.java
===================================================================
--- src/testcases/org/apache/poi/ddf/TestUnknownEscherRecord.java	(revision 882355)
+++ src/testcases/org/apache/poi/ddf/TestUnknownEscherRecord.java	(working copy)
@@ -76,7 +76,45 @@
         assertTrue( r.isContainerRecord() );
         assertEquals( 1, r.getChildRecords().size() );
         assertEquals( (short) 0xFFFF, r.getChild( 0 ).getRecordId() );
+        
+        //Add by Zhang Zhang test error situation when remaining bytes > avalible bytes
+        testData =
+            "00 02 " + // options
+            "11 F1 " + // record id
+            "05 00 00 00 " + // remaining bytes
+            "01 02 03 04";
 
+	    r = new UnknownEscherRecord();
+	    r.fillFields( HexRead.readFromString( testData ), factory );
+	
+	    assertEquals( 0x0200, r.getOptions() );
+	    assertEquals( (short) 0xF111, r.getRecordId() );
+	    assertEquals( 12, r.getRecordSize() );
+	    assertFalse( r.isContainerRecord() );
+	    assertEquals( 0, r.getChildRecords().size() );
+	    assertEquals( 4, r.getData().length );
+	    assertEquals( 1, r.getData()[0] );
+	    assertEquals( 2, r.getData()[1] );
+	    assertEquals( 3, r.getData()[2] );
+	    assertEquals( 4, r.getData()[3] );
+	    
+        testData =
+            "0F 02 " + // options
+            "11 F1 " + // record id
+            "09 00 00 00 " + // remaining bytes
+            "00 02 " + // options
+            "FF FF " + // record id
+            "00 00 00 00";      // remaining bytes
+
+	    r = new UnknownEscherRecord();
+	    r.fillFields( HexRead.readFromString( testData ), factory );
+	
+	    assertEquals( 0x020F, r.getOptions() );
+	    assertEquals( (short) 0xF111, r.getRecordId() );
+	    assertEquals( 8, r.getRecordSize() );
+	    assertTrue( r.isContainerRecord() );
+	    assertEquals( 1, r.getChildRecords().size() );
+	    assertEquals( (short) 0xFFFF, r.getChild( 0 ).getRecordId() );
     }
 
     public void testSerialize() {