Bug 60343

Summary: Add bounds checking on style offsets in StylesTable
Product: POI Reporter: Tim Allison <tallison>
Component: XSSFAssignee: POI Developers List <dev>
Status: RESOLVED FIXED    
Severity: enhancement    
Priority: P2    
Version: 3.16-dev   
Target Milestone: ---   
Hardware: PC   
OS: All   

Description Tim Allison 2016-11-04 16:13:51 UTC 
On TIKA-2155, Seva Alekseyev supplied an xlsx that triggers an index out of bounds exception when trying to get a style from the StylesTable.  I haven't tried to open the file in Excel, but Seva has opened it.  The offending value in sheet67.xml is: <c r="L95" s="65535"/>... truly a bad value.

Stack:

java.lang.IndexOutOfBoundsException: Index: 65535, Size: 251

	at java.util.ArrayList.rangeCheck(ArrayList.java:653)
	at java.util.ArrayList.get(ArrayList.java:429)
	at org.apache.poi.xssf.model.StylesTable.getStyleAt(StylesTable.java:421)
	at org.apache.poi.xssf.eventusermodel.XSSFSheetXMLHandler.startElement(XSSFSheetXMLHandler.java:282)

My inclination is to add bounds checking to StylesTable and return null if a style is requested outside of the list range.  I'll leave this open for a few days to make sure there are no objections from colleagues that this is making the parser too lax.
Comment 1 Tim Allison 2016-11-22 14:51:46 UTC 
r1770848

StylesTable now returns null if idx is out of bounds.  This is a change in behavior, and I had to modify tests for bug49702 in TestXSSFWorkbook.

I'm happy to revert to old behavior in StylesTable as long as we protect against AIOOBE higher up the stack, perhaps in XSSFSheetXMLHandler?