Bug 43116 - [PATCH] NegativeArraySizeException parsing xls file containing OLE objects
[PATCH] NegativeArraySizeException parsing xls file containing OLE objects
Status: RESOLVED FIXED
Product: POI
Classification: Unclassified
Component: HSSF
3.0-FINAL
Other other
: P2 blocker (vote)
: ---
Assigned To: POI Developers List
: PatchAvailable
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2007-08-13 22:50 UTC by Trejkaz (pen name)
Modified: 2007-08-15 07:40 UTC (History)
0 users



Attachments
Test.java (463 bytes, text/plain)
2007-08-13 22:51 UTC, Trejkaz (pen name)
Details
ole2-embedding.xls (40.50 KB, application/octet-stream)
2007-08-13 22:51 UTC, Trejkaz (pen name)
Details
Proposed fix (450 bytes, patch)
2007-08-14 18:26 UTC, Trejkaz (pen name)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Trejkaz (pen name) 2007-08-13 22:50:47 UTC
I crafted a test Excel document in Excel 2003, putting embedded Word and
PowerPoint objects inside it.

I didn't expect it to handle these, but what it did was much worse than my
expectations. :-)

Test code and file will be attached in a minute, results in the following exception.

java.lang.NegativeArraySizeException
	at org.apache.poi.ddf.UnknownEscherRecord.fillFields(UnknownEscherRecord.java:76)
	at
org.apache.poi.ddf.EscherContainerRecord.fillFields(EscherContainerRecord.java:56)
	at
org.apache.poi.ddf.EscherContainerRecord.fillFields(EscherContainerRecord.java:56)
	at
org.apache.poi.hssf.record.AbstractEscherHolderRecord.convertToEscherRecords(AbstractEscherHolderRecord.java:101)
	at
org.apache.poi.hssf.record.AbstractEscherHolderRecord.decode(AbstractEscherHolderRecord.java:293)
	at
org.apache.poi.hssf.usermodel.HSSFWorkbook.getAllPictures(HSSFWorkbook.java:1337)
Comment 1 Trejkaz (pen name) 2007-08-13 22:51:11 UTC
Created attachment 20659 [details]
Test.java
Comment 2 Trejkaz (pen name) 2007-08-13 22:51:34 UTC
Created attachment 20660 [details]
ole2-embedding.xls
Comment 3 Trejkaz (pen name) 2007-08-14 18:26:32 UTC
Created attachment 20662 [details]
Proposed fix

Code in EscherBlipRecord.getRecordSize() was saying that the length of the
record was the length of the blip data plus 4, but the header size is actually
8.

Fixed by using the actual HEADER_SIZE constant.  File now at least parses as
expected.
Comment 4 Nick Burch 2007-08-15 07:40:04 UTC
Thanks, patch applied, and tests added