Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:11.4:Update
jakarta-poi
jakarta-poi-CVE-2012-0213.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File jakarta-poi-CVE-2012-0213.patch of Package jakarta-poi
The original finder wishes to remain anonymous. Please do not credit anyone with the discovery of this vulnerability. When processing certain malformed CDF/CFBF files, Apache POI (a Java library for processing Office document formats) allocates arrays with arbitrary sizes, as specified in the input document. This results in an OutOfMemoryError exception, but not necessarily in the thread processing the malformed file, destabilizing the JVM. The reproducers are likely to trigger antivirus alarms, so I have not included them. The patch below also removes debugging print statements triggered by malformed input files. I suggest to embargo this until 2012-03-06. I have not reported this anywhere else. This has been assigned CVE-2012-0213. Please Cc: me on subsequent communication, I'm not subscribed. Index: src/scratchpad/src/org/apache/poi/hwpf/model/UnhandledDataStructure.java =================================================================== --- src/scratchpad/src/org/apache/poi/hwpf/model/UnhandledDataStructure.java.orig 2004-04-09 15:05:32.000000000 +0200 +++ src/scratchpad/src/org/apache/poi/hwpf/model/UnhandledDataStructure.java 2012-05-16 13:59:59.846897728 +0200 @@ -16,6 +16,7 @@ ==================================================================== */ package org.apache.poi.hwpf.model; +import java.util.Arrays; public class UnhandledDataStructure { @@ -23,8 +24,12 @@ public UnhandledDataStructure(byte[] buf, int offset, int length) { - _buf = new byte[length]; - System.arraycopy(buf, offset, _buf, 0, length); + if (offset + length > buf.length || (offset | length | offset+length) < 0) + { + throw new IndexOutOfBoundsException("buffer length is " + buf.length + + "but code is trying to read " + length + " from offset " + offset); + } + _buf = Arrays.copyOfRange(buf, offset, offset + length); } byte[] getBuf()
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor