Bug 61550 - POI 3.17 buffer overrun when reading corrupt document summary information property set
Summary: POI 3.17 buffer overrun when reading corrupt document summary information pro...
Alias: None
Product: POI
Classification: Unclassified
Component: HPSF (show other bugs)
Version: unspecified
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: POI Developers List
Depends on:
Reported: 2017-09-20 16:24 UTC by Jon Iles
Modified: 2018-01-06 11:31 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Jon Iles 2017-09-20 16:24:33 UTC
I have an MPP file which appears to have a corrupt document summary information property set. Attempting to read it produces the stack trace below. The issue is that the size of the CodePageString is larger than the data remaining in the input stream.

Microsoft Project will open the file successfully, it appears to ignore the corrupt properties.

Unfortunately I can't share the example data with you as it belongs to a customer.

Caused by: java.lang.RuntimeException: Buffer overrun
	at org.apache.poi.util.LittleEndianByteArrayInputStream.checkPosition(LittleEndianByteArrayInputStream.java:40)
	at org.apache.poi.util.LittleEndianByteArrayInputStream.readFully(LittleEndianByteArrayInputStream.java:119)
	at org.apache.poi.hpsf.CodePageString.read(CodePageString.java:57)
	at org.apache.poi.hpsf.TypedPropertyValue.readValue(TypedPropertyValue.java:135)
	at org.apache.poi.hpsf.VariantSupport.read(VariantSupport.java:174)
	at org.apache.poi.hpsf.Property.<init>(Property.java:179)
	at org.apache.poi.hpsf.MutableProperty.<init>(MutableProperty.java:53)
	at org.apache.poi.hpsf.Section.<init>(Section.java:237)
	at org.apache.poi.hpsf.MutableSection.<init>(MutableSection.java:41)
	at org.apache.poi.hpsf.PropertySet.init(PropertySet.java:494)
	at org.apache.poi.hpsf.PropertySet.<init>(PropertySet.java:196)
Comment 1 Dominik Stadler 2018-01-01 14:54:38 UTC
There have been some related changes via bug 61349, although I don't expect any to have changed this fundamentally. 

However, sadly, without a reproducing document we cannot do all that much here, so I added some more output to print out more if it happens again with a document that we can take a look at, see r1819772.
Comment 2 Jon Iles 2018-01-02 19:12:50 UTC
Thanks for looking Dominik. Here is the output when running the current 4.0.0 version from the GitHub mirror of POI against my problem file:

Caused by: java.lang.RuntimeException: Buffer overrun, having 4492 bytes in the stream and position is at 4431, but trying to increment position by 92
	at org.apache.poi.util.LittleEndianByteArrayInputStream.checkPosition(LittleEndianByteArrayInputStream.java:40)
	at org.apache.poi.util.LittleEndianByteArrayInputStream.readFully(LittleEndianByteArrayInputStream.java:120)
	at org.apache.poi.hpsf.CodePageString.read(CodePageString.java:61)
	at org.apache.poi.hpsf.TypedPropertyValue.readValue(TypedPropertyValue.java:135)
	at org.apache.poi.hpsf.VariantSupport.read(VariantSupport.java:176)
	at org.apache.poi.hpsf.Property.<init>(Property.java:179)
	at org.apache.poi.hpsf.Section.<init>(Section.java:240)
	at org.apache.poi.hpsf.PropertySet.init(PropertySet.java:492)
	at org.apache.poi.hpsf.PropertySet.<init>(PropertySet.java:195)
	at net.sf.mpxj.mpp.ProjectPropertiesReader.process(ProjectPropertiesReader.java:118)
	... 74 more

I'd be very happy to run instrumented code against this file to help you look at this in more detail.
Comment 3 Dominik Stadler 2018-01-06 11:31:36 UTC
I would like to try to handle this more gracefully, but without a document which triggers the problem, it is hard to build and keep in place in the long run, any chance of producing such a document that you can share?