Bug 61550

Summary: POI 3.17 buffer overrun when reading corrupt document summary information property set
Product: POI Reporter: Jon Iles <jon.iles>
Component: HPSFAssignee: POI Developers List <dev>
Severity: normal    
Priority: P2    
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: All   

Description Jon Iles 2017-09-20 16:24:33 UTC
I have an MPP file which appears to have a corrupt document summary information property set. Attempting to read it produces the stack trace below. The issue is that the size of the CodePageString is larger than the data remaining in the input stream.

Microsoft Project will open the file successfully, it appears to ignore the corrupt properties.

Unfortunately I can't share the example data with you as it belongs to a customer.

Caused by: java.lang.RuntimeException: Buffer overrun
	at org.apache.poi.util.LittleEndianByteArrayInputStream.checkPosition(LittleEndianByteArrayInputStream.java:40)
	at org.apache.poi.util.LittleEndianByteArrayInputStream.readFully(LittleEndianByteArrayInputStream.java:119)
	at org.apache.poi.hpsf.CodePageString.read(CodePageString.java:57)
	at org.apache.poi.hpsf.TypedPropertyValue.readValue(TypedPropertyValue.java:135)
	at org.apache.poi.hpsf.VariantSupport.read(VariantSupport.java:174)
	at org.apache.poi.hpsf.Property.<init>(Property.java:179)
	at org.apache.poi.hpsf.MutableProperty.<init>(MutableProperty.java:53)
	at org.apache.poi.hpsf.Section.<init>(Section.java:237)
	at org.apache.poi.hpsf.MutableSection.<init>(MutableSection.java:41)
	at org.apache.poi.hpsf.PropertySet.init(PropertySet.java:494)
	at org.apache.poi.hpsf.PropertySet.<init>(PropertySet.java:196)
Comment 1 Dominik Stadler 2018-01-01 14:54:38 UTC
There have been some related changes via bug 61349, although I don't expect any to have changed this fundamentally. 

However, sadly, without a reproducing document we cannot do all that much here, so I added some more output to print out more if it happens again with a document that we can take a look at, see r1819772.
Comment 2 Jon Iles 2018-01-02 19:12:50 UTC
Thanks for looking Dominik. Here is the output when running the current 4.0.0 version from the GitHub mirror of POI against my problem file:

Caused by: java.lang.RuntimeException: Buffer overrun, having 4492 bytes in the stream and position is at 4431, but trying to increment position by 92
	at org.apache.poi.util.LittleEndianByteArrayInputStream.checkPosition(LittleEndianByteArrayInputStream.java:40)
	at org.apache.poi.util.LittleEndianByteArrayInputStream.readFully(LittleEndianByteArrayInputStream.java:120)
	at org.apache.poi.hpsf.CodePageString.read(CodePageString.java:61)
	at org.apache.poi.hpsf.TypedPropertyValue.readValue(TypedPropertyValue.java:135)
	at org.apache.poi.hpsf.VariantSupport.read(VariantSupport.java:176)
	at org.apache.poi.hpsf.Property.<init>(Property.java:179)
	at org.apache.poi.hpsf.Section.<init>(Section.java:240)
	at org.apache.poi.hpsf.PropertySet.init(PropertySet.java:492)
	at org.apache.poi.hpsf.PropertySet.<init>(PropertySet.java:195)
	at net.sf.mpxj.mpp.ProjectPropertiesReader.process(ProjectPropertiesReader.java:118)
	... 74 more

I'd be very happy to run instrumented code against this file to help you look at this in more detail.
Comment 3 Dominik Stadler 2018-01-06 11:31:36 UTC
I would like to try to handle this more gracefully, but without a document which triggers the problem, it is hard to build and keep in place in the long run, any chance of producing such a document that you can share?