It would be good to limit the bytes in org.apache.poi.openxml4j.util.ZipInputStreamZipEntrySource with a FilterStream that counts the number of bytes up to a defined (configurable) value: The class org.apache.poi.openxml4j.util.ZipInputStreamZipEntrySource.FakeZipEntry uses in its constructor the Java class java.util.zip.ZipInputStream for decompressing the office files. Here the instance of this class could be wrapped with another java.io.FilterInputStream that performs the byte counting, as discussed on the private@poi.apache.org mailing list. Checking just the ZipEntry's entry.getSize() is not enough, since this value can be spoofed.
Fixed with r1687148