Moderate severityNVD Advisory· Published Aug 7, 2012· Updated Apr 29, 2026
CVE-2012-0213
CVE-2012-0213
Description
The UnhandledDataStructure function in hwpf/model/UnhandledDataStructure.java in Apache POI 3.8 and earlier allows remote attackers to cause a denial of service (OutOfMemoryError exception and possibly JVM destabilization) via a crafted length value in a Channel Definition Format (CDF) or Compound File Binary Format (CFBF) document.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.poi:poiMaven | < 3.10-beta1 | 3.10-beta1 |
org.apache.poi:poi-scratchpadMaven | < 3.10-beta1 | 3.10-beta1 |
Affected products
60cpe:2.3:a:apache:poi:*:*:*:*:*:*:*:*+ 59 more
- cpe:2.3:a:apache:poi:*:*:*:*:*:*:*:*range: <=3.8
- cpe:2.3:a:apache:poi:0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.11.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.12.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.13.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.14.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:0.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.10:dev:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.7:dev:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:1.8:dev:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:2.0:pre1:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:2.0:pre2:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:2.0:pre3:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:2.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.0.2:beta1:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.0.2:beta2:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.1:beta1:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.1:beta2:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.5:beta1:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.5:beta2:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.5:beta3:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.5:beta4:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.5:beta5:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.5:beta6:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.7:beta1:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.7:beta2:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.7:beta3:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.8:beta1:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.8:beta2:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.8:beta3:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.8:beta4:*:*:*:*:*:*
- cpe:2.3:a:apache:poi:3.8:beta5:*:*:*:*:*:*
Patches
125bc67924418Fix bug #54682 - UnhandledDataStructure should sanity check before allocating, not after
1 file changed · +18 −5
src/scratchpad/src/org/apache/poi/hwpf/model/UnhandledDataStructure.java+18 −5 modified@@ -17,23 +17,36 @@ Licensed to the Apache Software Foundation (ASF) under one or more package org.apache.poi.hwpf.model; +import java.util.Arrays; + import org.apache.poi.util.Internal; +/** + * A data structure used to hold some data we don't + * understand / can't handle, so we have it available + * for when we come to write back out again + */ @Internal public final class UnhandledDataStructure { byte[] _buf; public UnhandledDataStructure(byte[] buf, int offset, int length) { -// System.out.println("Yes, using my code"); - _buf = new byte[length]; + // Sanity check the size they've asked for if (offset + length > buf.length) { - throw new IndexOutOfBoundsException("buffer length is " + buf.length + - "but code is trying to read " + length + " from offset " + offset); + throw new IndexOutOfBoundsException("Buffer Length is " + buf.length + " " + + "but code is tried to read " + length + " from offset " + offset); + } + if (offset < 0 || length < 0) + { + throw new IndexOutOfBoundsException("Offset and Length must both be >= 0, negative " + + "indicies are not permitted - code is tried to read " + length + " from offset " + offset); } - System.arraycopy(buf, offset, _buf, 0, length); + + // Save that requested portion of the data + _buf = Arrays.copyOfRange(buf, offset, offset + length); } byte[] getBuf()
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- secunia.com/advisories/49040nvdVendor Advisory
- github.com/advisories/GHSA-jqx5-h2hw-5q4fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2012-0213ghsaADVISORY
- lists.fedoraproject.org/pipermail/package-announce/2012-August/084609.htmlnvdWEB
- www-01.ibm.com/support/docview.wssnvdWEB
- www.debian.org/security/2012/dsa-2468nvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/apache/poi/commit/25bc679244188d63de690354db0e3f301291e252ghsaWEB
- wiki.mageia.org/en/Support/Advisories/MGASA-2013-0044nvdWEB
- rhn.redhat.com/errata/RHSA-2012-1232.htmlnvd
- secunia.com/advisories/50549nvd
- www.mandriva.com/security/advisoriesnvd
- www.securityfocus.com/bid/53487nvd
News mentions
0No linked articles in our index yet.