diff -up src/java/org/apache/poi/poifs/storage/BlockAllocationTableReader.java.CVE-2012-0213 src/java/org/apache/poi/poifs/storage/BlockAllocationTableReader.java --- src/java/org/apache/poi/poifs/storage/BlockAllocationTableReader.java.CVE-2012-0213 2012-03-17 07:18:56.000000000 -0600 +++ src/java/org/apache/poi/poifs/storage/BlockAllocationTableReader.java 2012-05-10 22:10:16.202991184 -0600 @@ -226,12 +226,10 @@ public final class BlockAllocationTableR } catch(IOException e) { if(currentBlock == headerPropertiesStartBlock) { // Special case where things are in the wrong order - _logger.log(POILogger.WARN, "Warning, header block comes after data blocks in POIFS block listing"); currentBlock = POIFSConstants.END_OF_CHAIN; } else if(currentBlock == 0 && firstPass) { // Special case where the termination isn't done right // on an empty set - _logger.log(POILogger.WARN, "Warning, incorrectly terminated empty data blocks in POIFS block listing (should end at -2, ended at 0)"); currentBlock = POIFSConstants.END_OF_CHAIN; } else { // Ripple up diff -up src/scratchpad/src/org/apache/poi/hwpf/model/PropertyNode.java.CVE-2012-0213 src/scratchpad/src/org/apache/poi/hwpf/model/PropertyNode.java --- src/scratchpad/src/org/apache/poi/hwpf/model/PropertyNode.java.CVE-2012-0213 2012-03-17 07:21:42.000000000 -0600 +++ src/scratchpad/src/org/apache/poi/hwpf/model/PropertyNode.java 2012-05-10 22:09:42.996434166 -0600 @@ -85,15 +85,11 @@ public abstract class PropertyNode<T ext _buf = buf; if(_cpStart < 0) { - _logger.log(POILogger.WARN, "A property claimed to start before zero, at " + _cpStart + "! Resetting it to zero, and hoping for the best"); _cpStart = 0; } if ( _cpEnd < _cpStart ) { - _logger.log( POILogger.WARN, "A property claimed to end (" + _cpEnd - + ") before start! " - + "Resetting end to start, and hoping for the best" ); _cpEnd = _cpStart; } } diff -up src/scratchpad/src/org/apache/poi/hwpf/model/UnhandledDataStructure.java.CVE-2012-0213 src/scratchpad/src/org/apache/poi/hwpf/model/UnhandledDataStructure.java --- src/scratchpad/src/org/apache/poi/hwpf/model/UnhandledDataStructure.java.CVE-2012-0213 2012-03-17 07:21:43.000000000 -0600 +++ src/scratchpad/src/org/apache/poi/hwpf/model/UnhandledDataStructure.java 2012-05-10 22:07:30.879770399 -0600 @@ -18,6 +18,7 @@ package org.apache.poi.hwpf.model; import org.apache.poi.util.Internal; +import java.util.Arrays; @Internal public final class UnhandledDataStructure @@ -27,13 +28,12 @@ public final class UnhandledDataStructur public UnhandledDataStructure(byte[] buf, int offset, int length) { // System.out.println("Yes, using my code"); - _buf = new byte[length]; - if (offset + length > buf.length) + if (offset + length > buf.length || (offset | length | offset+length) < 0) { throw new IndexOutOfBoundsException("buffer length is " + buf.length + "but code is trying to read " + length + " from offset " + offset); } - System.arraycopy(buf, offset, _buf, 0, length); + _buf = Arrays.copyOfRange(buf, offset, offset + length); } byte[] getBuf()