[jira] [Commented] (XMLBEANS-641) Fuzzing XMLBeans triggers an assert() for an input-file via Apache POI

Tue, 03 Oct 2023 06:58:04 -0700 


    [ 
https://issues.apache.org/jira/browse/XMLBEANS-641?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17771491#comment-17771491
 ] 

PJ Fanning commented on XMLBEANS-641:
-------------------------------------

I tested this in POI and it failed at the read stage - not at the write stage.

I don't have an issue with hardening the XMLBeans Saver code. I will commit 
something now but I can't get a test to work because I cannot get a setup to 
work where I have a XMLBeans object that has an empty local part. The DOM 
parser catches it before we get that far.

```
org.apache.poi.ooxml.POIXMLException: Unable to read theme
        at 
org.apache.poi.xwpf.usermodel.XWPFTheme.onDocumentRead(XWPFTheme.java:164)
        at 
org.apache.poi.xwpf.usermodel.XWPFDocument.onDocumentRead(XWPFDocument.java:250)
        at org.apache.poi.ooxml.POIXMLDocument.load(POIXMLDocument.java:169)
        at 
org.apache.poi.xwpf.usermodel.XWPFDocument.<init>(XWPFDocument.java:163)
        at 
org.apache.poi.xwpf.XWPFTestDataSamples.openSampleDocument(XWPFTestDataSamples.java:31)
        at 
org.apache.poi.xwpf.usermodel.TestXWPFBugs.testFuzzIssue(TestXWPFBugs.java:293)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at 
org.junit.platform.commons.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:728)
        at 
org.junit.jupiter.engine.execution.MethodInvocation.proceed(MethodInvocation.java:60)
        at 
org.junit.jupiter.engine.execution.InvocationInterceptorChain$ValidatingInvocation.proceed(InvocationInterceptorChain.java:131)
        at 
org.junit.jupiter.engine.extension.TimeoutExtension.intercept(TimeoutExtension.java:156)
        at 
org.junit.jupiter.engine.extension.TimeoutExtension.interceptTestableMethod(TimeoutExtension.java:147)
        at 
org.junit.jupiter.engine.extension.TimeoutExtension.interceptTestMethod(TimeoutExtension.java:86)
        at 
org.junit.jupiter.engine.execution.InterceptingExecutableInvoker$ReflectiveInterceptorCall.lambda$ofVoidMethod$0(InterceptingExecutableInvoker.java:103)
        at 
org.junit.jupiter.engine.execution.InterceptingExecutableInvoker.lambda$invoke$0(InterceptingExecutableInvoker.java:93)
        at 
org.junit.jupiter.engine.execution.InvocationInterceptorChain$InterceptedInvocation.proceed(InvocationInterceptorChain.java:106)
        at 
org.junit.jupiter.engine.execution.InvocationInterceptorChain.proceed(InvocationInterceptorChain.java:64)
        at 
org.junit.jupiter.engine.execution.InvocationInterceptorChain.chainAndInvoke(InvocationInterceptorChain.java:45)
        at 
org.junit.jupiter.engine.execution.InvocationInterceptorChain.invoke(InvocationInterceptorChain.java:37)
        at 
org.junit.jupiter.engine.execution.InterceptingExecutableInvoker.invoke(InterceptingExecutableInvoker.java:92)
        at 
org.junit.jupiter.engine.execution.InterceptingExecutableInvoker.invoke(InterceptingExecutableInvoker.java:86)
        at 
org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.lambda$invokeTestMethod$7(TestMethodTestDescriptor.java:218)
        at 
org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
        at 
org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.invokeTestMethod(TestMethodTestDescriptor.java:214)
        at 
org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.execute(TestMethodTestDescriptor.java:139)
        at 
org.junit.jupiter.engine.descriptor.TestMethodTestDescriptor.execute(TestMethodTestDescriptor.java:69)
        at 
org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$6(NodeTestTask.java:151)
        at 
org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
        at 
org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$8(NodeTestTask.java:141)
        at 
org.junit.platform.engine.support.hierarchical.Node.around(Node.java:137)
        at 
org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$9(NodeTestTask.java:139)
        at 
org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
        at 
org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:138)
        at 
org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:95)
        at 
org.junit.platform.engine.support.hierarchical.ForkJoinPoolHierarchicalTestExecutorService$ExclusiveTask.compute(ForkJoinPoolHierarchicalTestExecutorService.java:202)
        at 
org.junit.platform.engine.support.hierarchical.ForkJoinPoolHierarchicalTestExecutorService.invokeAll(ForkJoinPoolHierarchicalTestExecutorService.java:146)
        at 
org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$6(NodeTestTask.java:155)
        at 
org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
        at 
org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$8(NodeTestTask.java:141)
        at 
org.junit.platform.engine.support.hierarchical.Node.around(Node.java:137)
        at 
org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$9(NodeTestTask.java:139)
        at 
org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
        at 
org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:138)
        at 
org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:95)
        at 
org.junit.platform.engine.support.hierarchical.ForkJoinPoolHierarchicalTestExecutorService$ExclusiveTask.compute(ForkJoinPoolHierarchicalTestExecutorService.java:202)
        at 
org.junit.platform.engine.support.hierarchical.ForkJoinPoolHierarchicalTestExecutorService.invokeAll(ForkJoinPoolHierarchicalTestExecutorService.java:146)
        at 
org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$6(NodeTestTask.java:155)
        at 
org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
        at 
org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$8(NodeTestTask.java:141)
        at 
org.junit.platform.engine.support.hierarchical.Node.around(Node.java:137)
        at 
org.junit.platform.engine.support.hierarchical.NodeTestTask.lambda$executeRecursively$9(NodeTestTask.java:139)
        at 
org.junit.platform.engine.support.hierarchical.ThrowableCollector.execute(ThrowableCollector.java:73)
        at 
org.junit.platform.engine.support.hierarchical.NodeTestTask.executeRecursively(NodeTestTask.java:138)
        at 
org.junit.platform.engine.support.hierarchical.NodeTestTask.execute(NodeTestTask.java:95)
        at 
org.junit.platform.engine.support.hierarchical.ForkJoinPoolHierarchicalTestExecutorService$ExclusiveTask.compute(ForkJoinPoolHierarchicalTestExecutorService.java:202)
        at java.util.concurrent.RecursiveAction.exec(RecursiveAction.java:189)
        at java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:289)
        at 
java.util.concurrent.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1056)
        at java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1692)
        at 
java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:175)
Caused by: org.apache.xmlbeans.XmlException: error: Element or attribute "a:" 
do not match QName production: QName::=(NCName:)?NCName.
        at 
org.apache.xmlbeans.impl.store.Locale$SaxLoader.load(Locale.java:2553)
        at 
org.apache.xmlbeans.impl.store.Locale.lambda$parseToXmlObject$3(Locale.java:717)
        at org.apache.xmlbeans.impl.store.Locale.syncWrap(Locale.java:490)
        at 
org.apache.xmlbeans.impl.store.Locale.parseToXmlObject(Locale.java:716)
        at 
org.apache.xmlbeans.impl.schema.SchemaTypeLoaderBase.parse(SchemaTypeLoaderBase.java:233)
        at 
org.apache.xmlbeans.impl.schema.AbstractDocumentFactory.parse(AbstractDocumentFactory.java:71)
        at 
org.apache.poi.xwpf.usermodel.XWPFTheme.onDocumentRead(XWPFTheme.java:161)
        ... 62 more
Caused by: org.xml.sax.SAXParseException; systemId: file://; lineNumber: 2; 
columnNumber: 6188; Element or attribute "a:" do not match QName production: 
QName::=(NCName:)?NCName.
        at 
com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.createSAXParseException(ErrorHandlerWrapper.java:204)
        at 
com.sun.org.apache.xerces.internal.util.ErrorHandlerWrapper.fatalError(ErrorHandlerWrapper.java:178)
        at 
com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:399)
        at 
com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:326)
        at 
com.sun.org.apache.xerces.internal.impl.XMLErrorReporter.reportError(XMLErrorReporter.java:283)
        at 
com.sun.org.apache.xerces.internal.impl.XMLEntityScanner.scanQName(XMLEntityScanner.java:877)
        at 
com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.scanStartElement(XMLNSDocumentScannerImpl.java:193)
        at 
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2783)
        at 
com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:601)
        at 
com.sun.org.apache.xerces.internal.impl.XMLNSDocumentScannerImpl.next(XMLNSDocumentScannerImpl.java:112)
        at 
com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:504)
        at 
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:841)
        at 
com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:770)
        at 
com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
        at 
com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213)
        at 
com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:642)
        at 
org.apache.xmlbeans.impl.store.Locale$SaxLoader.load(Locale.java:2532)
        ... 68 more
```



> Fuzzing XMLBeans triggers an assert() for an input-file via Apache POI
> ----------------------------------------------------------------------
>
>                 Key: XMLBEANS-641
>                 URL: https://issues.apache.org/jira/browse/XMLBEANS-641
>             Project: XMLBeans
>          Issue Type: Bug
>            Reporter: Dominik Stadler
>            Priority: Major
>         Attachments: 
> clusterfuzz-testcase-minimized-POIXWPFFuzzer-6733884933668864.docx
>
>
> Fuzzing Apache POI via oss-fuzz shows the following assert() being triggered 
> via an input-file.
>  
> Would be good to convert to IllegalArgumentException or IllegalStateException 
> so that fuzzy testing can continue to flag other places where assert() is 
> used incorrectly.
>  
> {code:java}
>  at org.apache.xmlbeans.impl.store.Saver$TextSaver.emitName(Saver.java:1099)
>  at org.apache.xmlbeans.impl.store.Saver$TextSaver.emitElement(Saver.java:894)
>  at org.apache.xmlbeans.impl.store.Saver.processElement(Saver.java:461)
>  at org.apache.xmlbeans.impl.store.Saver.process(Saver.java:291)
>  at org.apache.xmlbeans.impl.store.Saver$TextSaver.write(Saver.java:1696)
>  at 
> org.apache.xmlbeans.impl.store.Saver$InputStreamSaver.ensure(Saver.java:2348)
>  at 
> org.apache.xmlbeans.impl.store.Saver$InputStreamSaver.access$200(Saver.java:2234)
>  at 
> org.apache.xmlbeans.impl.store.Saver$InputStreamSaver$OutputStreamImpl.read(Saver.java:2393)
>  at 
> org.apache.xmlbeans.impl.store.Saver$InputStreamSaver.lambda$read$0(Saver.java:2332)
>  at org.apache.xmlbeans.impl.store.Saver.syncWrap(Saver.java:2184)
>  at org.apache.xmlbeans.impl.store.Saver.access$000(Saver.java:33)
>  at 
> org.apache.xmlbeans.impl.store.Saver$InputStreamSaver.read(Saver.java:2332)
>  at java.base/java.io.InputStream.read(InputStream.java:218)
>  at org.apache.xmlbeans.impl.store.Cursor._save(Cursor.java:570)
>  at org.apache.xmlbeans.impl.store.Cursor.lambda$save$17(Cursor.java:2006)
>  at org.apache.xmlbeans.impl.store.Cursor.syncWrapHelper(Cursor.java:2551)
>  at org.apache.xmlbeans.impl.store.Cursor.syncWrapIOEx(Cursor.java:2504)
>  at org.apache.xmlbeans.impl.store.Cursor.save(Cursor.java:2006)
>  at org.apache.xmlbeans.impl.values.XmlObjectBase.save(XmlObjectBase.java:190)
>  at org.apache.poi.xwpf.usermodel.XWPFTheme.commit(XWPFTheme.java:178)
>  at 
> org.apache.poi.ooxml.POIXMLDocumentPart.onSave(POIXMLDocumentPart.java:467)
>  at 
> org.apache.poi.ooxml.POIXMLDocumentPart.onSave(POIXMLDocumentPart.java:472)
>  at org.apache.poi.ooxml.POIXMLDocument.write(POIXMLDocument.java:221){code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@poi.apache.org
For additional commands, e-mail: dev-h...@poi.apache.org

Reply via email to