Bug 60256 - OLE10Native initialization OOM
Summary: OLE10Native initialization OOM
Status: RESOLVED FIXED
Alias: None
Product: POI
Classification: Unclassified
Component: POIFS (show other bugs)
Version: unspecified
Hardware: PC Windows NT
: P2 normal (vote)
Target Milestone: ---
Assignee: POI Developers List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-10-14 13:14 UTC by Tim Allison
Modified: 2016-10-14 15:01 UTC (History)
1 user (show)



Attachments
Triggering embedded object (7.00 KB, application/x-ole-storage)
2016-10-14 13:14 UTC, Tim Allison
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Allison 2016-10-14 13:14:33 UTC
Created attachment 34373 [details]
Triggering embedded object

On TIKA-2115, Thomas Galla recently reported an OOM reading an embedded OLE10Native object.  I suspect something is going wrong with reading the length in OLE10Native's initialization code.

Embedded .bin file attached.

Code to reproduce:

        POIFSFileSystem fs = new POIFSFileSystem(getResourceAsStream("/test-documents/ole_1_0_oom.bin"));
        Ole10Native ole = Ole10Native.createFromEmbeddedOleObject(fs);
Comment 1 Tim Allison 2016-10-14 13:23:18 UTC
triggering doc and "ignored" test stub added to TestOle10Native in r1764890.
Comment 2 Tim Allison 2016-10-14 13:58:16 UTC
The ole10Native object looks like a list of urls and keys...Corrupt data?

Should we add a length check in Ole10Native and call it a day?

        if (dataSize > data.length-ofs) {
            throw new Ole10NativeException("calculated data size > input byte array-offset");
        }
        dataBuffer = new byte[dataSize];
Comment 3 Tim Allison 2016-10-14 14:41:37 UTC
Y, this OLE object has no size NativeDataSize, which is required according to.  We're reading the actual data "ybut" as the length.

I'll add the size check and close this out.

[1] https://msdn.microsoft.com/en-us/library/dd942053.aspx
Comment 4 Tim Allison 2016-10-14 15:01:02 UTC
r1764927 

I added a length check.  We'll now get an exception for the embedded object because it is corrupt.  Please re-open if I've misunderstood the OLE10Native format.