gnumeric r16321 - in branches/gnumeric-1-8: . plugins/excel

[mortenw svn gnome org]

Author: mortenw
Date: Thu Jan 31 14:17:15 2008
New Revision: 16321
URL: http://svn.gnome.org/viewvc/gnumeric?rev=16321&view=rev

Log:
2008-01-31  Morten Welinder  <terra gnome org>

	* ms-excel-read.c (excel_read_BOOLERR): Properly check record
	length.
	(excel_read_HEADER_FOOTER): Ditto.
	(excel_read_REFMODE): Ditto.  Fixes #513364.
	(excel_read_PAGE_BREAK): Ditto.  Fixes #513361.




Modified:
   branches/gnumeric-1-8/NEWS
   branches/gnumeric-1-8/plugins/excel/ChangeLog
   branches/gnumeric-1-8/plugins/excel/ms-excel-read.c

Modified: branches/gnumeric-1-8/NEWS
==============================================================================
--- branches/gnumeric-1-8/NEWS	(original)
+++ branches/gnumeric-1-8/NEWS	Thu Jan 31 14:17:15 2008
@@ -4,7 +4,7 @@
 	* Fix loading of solver constraints.
 	* Fix solver issue.  [#512500]
 	* Fix corrupted-xls-file problems.  [#512984] [#513005] [#513313]
-	  [#513317]
+	  [#513317] [#513361] [#513364]
 	* Fix non-ascii export problem.  [#511135]
 
 --------------------------------------------------------------------------

Modified: branches/gnumeric-1-8/plugins/excel/ms-excel-read.c
==============================================================================
--- branches/gnumeric-1-8/plugins/excel/ms-excel-read.c	(original)
+++ branches/gnumeric-1-8/plugins/excel/ms-excel-read.c	Thu Jan 31 14:17:15 2008
@@ -5606,9 +5606,11 @@
 static void
 excel_read_BOOLERR (BiffQuery *q, ExcelReadSheet *esheet)
 {
-	int base = (q->opcode == BIFF_BOOLERR_v0) ? 7 : 6;
+	unsigned base = (q->opcode == BIFF_BOOLERR_v0) ? 7 : 6;
 	GnmValue *v;
 
+	XL_CHECK_CONDITION (q->length >= base + 2);
+
 	if (GSF_LE_GET_GUINT8 (q->data + base + 1)) {
 		GnmEvalPos ep;
 		eval_pos_init (&ep, esheet->sheet, XL_GETCOL (q), XL_GETROW (q));
@@ -5646,6 +5648,8 @@
 			  BiffQuery *q, PrintInformation *pi,
 			  gboolean is_header)
 {
+	XL_CHECK_CONDITION (q->length >= (importer->ver >= MS_BIFF_V8 ? 4 : 2));
+
 	if (q->length) {
 		char *l, *c, *r, *str = (importer->ver >= MS_BIFF_V8)
 			? excel_get_text (importer, q->data + 2, GSF_LE_GET_GUINT16 (q->data), NULL)
@@ -5672,7 +5676,10 @@
 static void
 excel_read_REFMODE (BiffQuery *q, ExcelReadSheet *esheet)
 {
-	guint16 mode = GSF_LE_GET_GUINT16 (q->data);
+	guint16 mode;
+
+	XL_CHECK_CONDITION (q->length >= 2);
+	mode = GSF_LE_GET_GUINT16 (q->data);
 	g_object_set (esheet->sheet, "use-r1c1", mode == 0, NULL);
 }
 
@@ -5681,8 +5688,13 @@
 {
 	unsigned i;
 	unsigned step = (esheet_ver (esheet) >= MS_BIFF_V8) ? 6 : 2;
-	guint16  count = GSF_LE_GET_GUINT16 (q->data);
-	GnmPageBreaks *breaks = gnm_page_breaks_new (count, is_vert);
+	guint16 count;
+	GnmPageBreaks *breaks;
+
+	XL_CHECK_CONDITION (q->length >= 2);
+	count = GSF_LE_GET_GUINT16 (q->data);
+	XL_CHECK_CONDITION (q->length >= 2 + count * step);
+	breaks = gnm_page_breaks_new (count, is_vert);
 
 	/* 1) Ignore the first/last info for >= biff8
 	 * 2) Assume breaks are manual in the absence of any information  */