gnumeric r16361 - in trunk: . plugins/excel



Author: mortenw
Date: Sat Feb  9 00:07:11 2008
New Revision: 16361
URL: http://svn.gnome.org/viewvc/gnumeric?rev=16361&view=rev

Log:
2008-02-08  Morten Welinder  <terra gnome org>

	* ms-chart.c: Sprinkle some length checks.  Fixes #515269.



Modified:
   trunk/NEWS
   trunk/plugins/excel/ChangeLog
   trunk/plugins/excel/ms-chart.c

Modified: trunk/NEWS
==============================================================================
--- trunk/NEWS	(original)
+++ trunk/NEWS	Sat Feb  9 00:07:11 2008
@@ -23,6 +23,7 @@
 	  [#513317] [#513361] [#513364] [#513551] [#513605] [#513608] [#513790]
 	  [#513787] [#513835] [#513963] [#514229] [#514230] [#514295] [#514435]
 	  [#514436] [#514437] [#514506] [#514510] [#514630] [#514637] [#515155]
+	  [#515269]
 	* Fix non-ascii export problem.  [#511135]
 	* Band-aid evaluation problem with broken xls.  [#513559]
 	* Fix circular array formula problem.

Modified: trunk/plugins/excel/ms-chart.c
==============================================================================
--- trunk/plugins/excel/ms-chart.c	(original)
+++ trunk/plugins/excel/ms-chart.c	Sat Feb  9 00:07:11 2008
@@ -782,6 +782,8 @@
 BC_R(chart)(XLChartHandler const *handle,
 	    XLChartReadState *s, BiffQuery *q)
 {
+	XL_CHECK_CONDITION_VAL (q->length >= 16, FALSE);
+
 	d (1, {
 	/* Fixed point 2 bytes fraction 2 bytes integer */
 	guint32 const x_pos_fixed = GSF_LE_GET_GUINT32 (q->data + 0);
@@ -806,8 +808,12 @@
 BC_R(chartformat)(XLChartHandler const *handle,
 		  XLChartReadState *s, BiffQuery *q)
 {
-	guint16 const flags = GSF_LE_GET_GUINT16 (q->data+16);
-	guint16 const z_order = GSF_LE_GET_GUINT16 (q->data+18);
+	guint16 flags, z_order;
+
+	XL_CHECK_CONDITION_VAL (q->length >= 4, FALSE);
+
+	flags = GSF_LE_GET_GUINT16 (q->data+16);
+	z_order = GSF_LE_GET_GUINT16 (q->data+18);
 
 	/* always update the counter to keep the index in line with the chart
 	 * group specifier for series */
@@ -845,9 +851,11 @@
 BC_R(chartline)(XLChartHandler const *handle,
 		XLChartReadState *s, BiffQuery *q)
 {
-	guint16 const type = GSF_LE_GET_GUINT16 (q->data);
+	guint16 type;
 
-	g_return_val_if_fail (type <= 2, FALSE);
+	XL_CHECK_CONDITION_VAL (q->length >= 2, FALSE);
+	type = GSF_LE_GET_GUINT16 (q->data);
+	XL_CHECK_CONDITION_VAL (type <= 2, FALSE);
 
 	if (type == 1)
 		s->hilo = TRUE;
@@ -875,6 +883,8 @@
 BC_R(dat)(XLChartHandler const *handle,
 	  XLChartReadState *s, BiffQuery *q)
 {
+	XL_CHECK_CONDITION_VAL (q->length >= 2, FALSE);
+
 #if 0
 	gint16 const flags = GSF_LE_GET_GUINT16 (q->data);
 	gboolean const horiz_border = (flags&0x01) ? TRUE : FALSE;
@@ -925,7 +935,10 @@
 BC_R(defaulttext)(XLChartHandler const *handle,
 		  XLChartReadState *s, BiffQuery *q)
 {
-	guint16	const tmp = GSF_LE_GET_GUINT16 (q->data);
+	guint16	tmp;
+
+	XL_CHECK_CONDITION_VAL (q->length >= 2, FALSE);
+	tmp = GSF_LE_GET_GUINT16 (q->data);
 
 	d (2, g_printerr ("applicability = %hd\n", tmp););
 
@@ -935,7 +948,7 @@
 	 * 2 == All text in chart
 	 * 3 == Undocumented ??
 	 */
-	g_return_val_if_fail (tmp <= 3, TRUE);
+	XL_CHECK_CONDITION_VAL (tmp <= 3, TRUE);
 	return FALSE;
 }
 
@@ -945,6 +958,8 @@
 BC_R(dropbar)(XLChartHandler const *handle,
 	      XLChartReadState *s, BiffQuery *q)
 {
+	XL_CHECK_CONDITION_VAL (q->length >= 2, FALSE);
+
 	/* NOTE : The docs lie.  values > 100 seem legal.  My guess based on
 	 * the ui is 500.
 	 */



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]