Bug 60343 - Add bounds checking on style offsets in StylesTable
Summary: Add bounds checking on style offsets in StylesTable
Status: RESOLVED FIXED
Alias: None
Product: POI
Classification: Unclassified
Component: XSSF (show other bugs)
Version: 3.16-dev
Hardware: PC All
: P2 enhancement (vote)
Target Milestone: ---
Assignee: POI Developers List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-11-04 16:13 UTC by Tim Allison
Modified: 2016-11-22 14:51 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Allison 2016-11-04 16:13:51 UTC 
On TIKA-2155, Seva Alekseyev supplied an xlsx that triggers an index out of bounds exception when trying to get a style from the StylesTable.  I haven't tried to open the file in Excel, but Seva has opened it.  The offending value in sheet67.xml is: <c r="L95" s="65535"/>... truly a bad value.

Stack:

java.lang.IndexOutOfBoundsException: Index: 65535, Size: 251

	at java.util.ArrayList.rangeCheck(ArrayList.java:653)
	at java.util.ArrayList.get(ArrayList.java:429)
	at org.apache.poi.xssf.model.StylesTable.getStyleAt(StylesTable.java:421)
	at org.apache.poi.xssf.eventusermodel.XSSFSheetXMLHandler.startElement(XSSFSheetXMLHandler.java:282)

My inclination is to add bounds checking to StylesTable and return null if a style is requested outside of the list range.  I'll leave this open for a few days to make sure there are no objections from colleagues that this is making the parser too lax.
Comment 1 Tim Allison 2016-11-22 14:51:46 UTC 
r1770848

StylesTable now returns null if idx is out of bounds.  This is a change in behavior, and I had to modify tests for bug49702 in TestXSSFWorkbook.

I'm happy to revert to old behavior in StylesTable as long as we protect against AIOOBE higher up the stack, perhaps in XSSFSheetXMLHandler?