File jakarta-poi-CVE-2012-0213.patch of Package jakarta-poi

Overview Repositories Revisions Requests Users Attributes Meta

File jakarta-poi-CVE-2012-0213.patch of Package jakarta-poi

The original finder wishes to remain anonymous.  Please do not credit
anyone with the discovery of this vulnerability.

When processing certain malformed CDF/CFBF files, Apache POI (a Java
library for processing Office document formats) allocates arrays with
arbitrary sizes, as specified in the input document.  This results in
an OutOfMemoryError exception, but not necessarily in the thread
processing the malformed file, destabilizing the JVM.

The reproducers are likely to trigger antivirus alarms, so I have not
included them.

The patch below also removes debugging print statements triggered by
malformed input files.

I suggest to embargo this until 2012-03-06.  I have not reported this
anywhere else.  This has been assigned CVE-2012-0213.

Please Cc: me on subsequent communication, I'm not subscribed.

Index: src/scratchpad/src/org/apache/poi/hwpf/model/UnhandledDataStructure.java
===================================================================
--- src/scratchpad/src/org/apache/poi/hwpf/model/UnhandledDataStructure.java.orig	2004-04-09 15:05:32.000000000 +0200
+++ src/scratchpad/src/org/apache/poi/hwpf/model/UnhandledDataStructure.java	2012-05-16 13:59:59.846897728 +0200
@@ -16,6 +16,7 @@
 ==================================================================== */
         
 package org.apache.poi.hwpf.model;
+import java.util.Arrays;
 
 public class UnhandledDataStructure
 {
@@ -23,8 +24,12 @@
 
   public UnhandledDataStructure(byte[] buf, int offset, int length)
   {
-    _buf = new byte[length];
-    System.arraycopy(buf, offset, _buf, 0, length);
+      if (offset + length > buf.length || (offset | length | offset+length) < 0)
+      {
+          throw new IndexOutOfBoundsException("buffer length is " + buf.length +
+                  "but code is trying to read " + length + " from offset " + offset);
+      }
+      _buf = Arrays.copyOfRange(buf, offset, offset + length);
   }
 
   byte[] getBuf()

Places

File jakarta-poi-CVE-2012-0213.patch of Package jakarta-poi

Places