Bug 50539 - Error reading in a vml file with unmatched <br>
Error reading in a vml file with unmatched <br>
Product: POI
Classification: Unclassified
Component: XSSF
PC Windows XP
: P2 normal (vote)
: ---
Assigned To: POI Developers List
Depends on:
  Show dependency tree
Reported: 2011-01-03 11:48 UTC by Jay Walters
Modified: 2011-02-04 11:44 UTC (History)
0 users

VML file illustrating the problem (11.73 KB, application/octet-stream)
2011-01-03 11:48 UTC, Jay Walters
Patch to resolve the issue and unit test the fix (5.01 KB, patch)
2011-01-03 16:13 UTC, Jay Walters
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jay Walters 2011-01-03 11:48:05 UTC
Created attachment 26454 [details]
VML file illustrating the problem

In the EvilUnclosedBRFixingInputStream.java file, it does not properly handle a case where there is a <br> in the overflow part of the buffer. It throws a NegativeArraySizeException.

The fixup function needs to not process <br> tags past the end of the shortened buffer, and when returning the spare bytes it needs to run fixup.

You can process the attached VML file through the EvilUnclosedBRFixingInputStream to reproduce the exception.
Comment 1 Jay Walters 2011-01-03 16:13:19 UTC
Created attachment 26456 [details]
Patch to resolve the issue and unit test the fix

Includes the changes to EvilUnclosedBRFixingInputStream and to its unit test to verify the problem is resolved.
Comment 2 Nick Burch 2011-02-04 11:44:00 UTC
Thanks for the patch and unit test

After some pondering, I decided to refactor the class and fix a bit to make it clearer what is going on. I tweaked the test to try a wide range of buffer sizes, to simulate all the different cases of the br in the overflow, and it now passes all of them.

Fix committed in r1067217.