gnumeric r16319 - in branches/gnumeric-1-8: . plugins/excel

From: mortenw svn gnome org
To: svn-commits-list gnome org
Subject: gnumeric r16319 - in branches/gnumeric-1-8: . plugins/excel
Date: Thu, 31 Jan 2008 03:11:32 +0000 (GMT)

Author: mortenw
Date: Thu Jan 31 03:11:32 2008
New Revision: 16319
URL: http://svn.gnome.org/viewvc/gnumeric?rev=16319&view=rev

Log:
	(excel_read_SELECTION): Properly check record length.  Fixes #513317.



Modified:
   branches/gnumeric-1-8/NEWS
   branches/gnumeric-1-8/plugins/excel/ChangeLog
   branches/gnumeric-1-8/plugins/excel/ms-excel-read.c

Modified: branches/gnumeric-1-8/NEWS
==============================================================================
--- branches/gnumeric-1-8/NEWS	(original)
+++ branches/gnumeric-1-8/NEWS	Thu Jan 31 03:11:32 2008
@@ -3,7 +3,8 @@
 Morten:
 	* Fix loading of solver constraints.
 	* Fix solver issue.  [#512500]
-	* Fix corrupted-xls-file problems.  [#512984] [#513005] [513313]
+	* Fix corrupted-xls-file problems.  [#512984] [#513005] [#513313]
+	  [#513317]
 	* Fix non-ascii export problem.  [#511135]
 
 --------------------------------------------------------------------------

Modified: branches/gnumeric-1-8/plugins/excel/ms-excel-read.c
==============================================================================
--- branches/gnumeric-1-8/plugins/excel/ms-excel-read.c	(original)
+++ branches/gnumeric-1-8/plugins/excel/ms-excel-read.c	Thu Jan 31 03:11:32 2008
@@ -3856,17 +3856,21 @@
 excel_read_SELECTION (BiffQuery *q, ExcelReadSheet *esheet)
 {
 	GnmCellPos edit_pos, tmp;
-	unsigned const pane_number = GSF_LE_GET_GUINT8 (q->data);
-	int i, j = GSF_LE_GET_GUINT16 (q->data + 5);
-	int num_refs = GSF_LE_GET_GUINT16 (q->data + 7);
+	unsigned pane_number, i, j, num_refs;
 	guint8 *refs;
 	SheetView *sv = sheet_get_view (esheet->sheet, esheet->container.importer->wbv);
 	GnmRange r;
 
-	if (pane_number != esheet->active_pane)
-		return;
+	XL_CHECK_CONDITION (q->length >= 9);
+	pane_number = GSF_LE_GET_GUINT8 (q->data);
 	edit_pos.row = GSF_LE_GET_GUINT16 (q->data + 1);
 	edit_pos.col = GSF_LE_GET_GUINT16 (q->data + 3);
+	j = GSF_LE_GET_GUINT16 (q->data + 5);
+	num_refs = GSF_LE_GET_GUINT16 (q->data + 7);
+	XL_CHECK_CONDITION (q->length >= 9 + 6 * num_refs);
+
+	if (pane_number != esheet->active_pane)
+		return;
 
 	d (5, fprintf (stderr,"Start selection in pane #%d\n", pane_number););
 	d (5, fprintf (stderr,"Cursor: %s in Ref #%d\n", cellpos_as_string (&edit_pos),

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]