gnumeric r17214 - in trunk: . plugins/excel

From: mortenw svn gnome org
To: svn-commits-list gnome org
Subject: gnumeric r17214 - in trunk: . plugins/excel
Date: Mon, 16 Mar 2009 19:50:59 +0000 (UTC)
Author: mortenw
Date: Mon Mar 16 19:50:59 2009
New Revision: 17214
URL: http://svn.gnome.org/viewvc/gnumeric?rev=17214&view=rev

Log:
2009-03-16  Morten Welinder  <terra gnome org>

	* ms-excel-read.c (excel_read_LABEL_markup): Verify that offsets
	are sane.
	(excel_read_LABEL_markup): Ditto.  Fixes #575452.



Modified:
   trunk/NEWS
   trunk/plugins/excel/ChangeLog
   trunk/plugins/excel/ms-container.c
   trunk/plugins/excel/ms-container.h
   trunk/plugins/excel/ms-excel-read.c
   trunk/plugins/excel/ms-obj.c

Modified: trunk/NEWS
==============================================================================
--- trunk/NEWS	(original)
+++ trunk/NEWS	Mon Mar 16 19:50:59 2009
@@ -37,6 +37,7 @@
 	* Fix xls writing crash.  [Part of #575318]
 	* Fix criticals in xls export for comments without author.
 	* Fix crash while loading broken xls.  [#575393]
+	* Fix string problem with broken xls.  [#575452]
 
 Sum1:
 	* Implement OOO probing.  [#574381]

Modified: trunk/plugins/excel/ms-container.c
==============================================================================
--- trunk/plugins/excel/ms-container.c	(original)
+++ trunk/plugins/excel/ms-container.c	Mon Mar 16 19:50:59 2009
@@ -15,6 +15,7 @@
 #include "ms-container.h"
 #include "ms-escher.h"
 #include "ms-obj.h"
+#include "ms-excel-util.h"
 
 #include <expr-name.h>
 #include <str.h>
@@ -252,22 +253,35 @@
 	pango_attr_list_change (run->accum, dst);
 	return FALSE;
 }
+
 PangoAttrList *
 ms_container_read_markup (MSContainer const *c,
-			  guint8 const *data, int txo_len, char const *str)
+			  guint8 const *data, size_t txo_len,
+			  char const *str)
 {
 	TXORun txo_run;
+	size_t str_len;
 
 	g_return_val_if_fail (txo_len >= 16, NULL); /* min two records */
 
+	str_len = g_utf8_strlen (str, -1);
+
 	txo_run.last = G_MAXINT;
 	txo_run.accum = pango_attr_list_new ();
 	for (txo_len -= 16 ; txo_len >= 0 ; txo_len -= 8) {
-		txo_run.first = g_utf8_offset_to_pointer (str,
-			GSF_LE_GET_GUINT16 (data + txo_len)) - str;
-		pango_attr_list_filter (ms_container_get_markup (
-			c, GSF_LE_GET_GUINT16 (data + txo_len + 2)),
-			(PangoAttrFilterFunc) append_txorun, &txo_run);
+		guint16 o = GSF_LE_GET_GUINT16 (data + txo_len);
+		guint16 l = GSF_LE_GET_GUINT16 (data + txo_len + 2);
+		XL_CHECK_CONDITION_VAL (o + l < str_len,
+					(pango_attr_list_unref (txo_run.accum),
+					 NULL));
+
+		txo_run.first = g_utf8_offset_to_pointer (str, o) - str;
+		XL_CHECK_CONDITION_VAL (txo_run.first < txo_run.last,
+					(pango_attr_list_unref (txo_run.accum), NULL));
+					
+		pango_attr_list_filter (ms_container_get_markup (c, l),
+					(PangoAttrFilterFunc) append_txorun,
+					&txo_run);
 		txo_run.last = txo_run.first;
 	}
 	return txo_run.accum;

Modified: trunk/plugins/excel/ms-container.h
==============================================================================
--- trunk/plugins/excel/ms-container.h	(original)
+++ trunk/plugins/excel/ms-container.h	Mon Mar 16 19:50:59 2009
@@ -66,7 +66,7 @@
 GOFormat	*ms_container_get_fmt	  (MSContainer const *c, unsigned indx);
 PangoAttrList	*ms_container_get_markup  (MSContainer const *c, unsigned indx);
 PangoAttrList	*ms_container_read_markup (MSContainer const *c,
-					   guint8 const *data, int txo_len,
+					   guint8 const *data, size_t txo_len,
 					   char const *str);
 
 #endif /* GNM_EXCEL_CONTAINER_H */

Modified: trunk/plugins/excel/ms-excel-read.c
==============================================================================
--- trunk/plugins/excel/ms-excel-read.c	(original)
+++ trunk/plugins/excel/ms-excel-read.c	Mon Mar 16 19:50:59 2009
@@ -964,6 +964,7 @@
 	}
 
 	str_len_bytes = (use_utf16 ? 2 : 1) * length;
+
 	if (*byte_length > maxlen) {
 		*byte_length = maxlen;
 		length = 0;
@@ -1082,12 +1083,24 @@
 
 		txo_run.accum = pango_attr_list_new ();
 		while (n > 0) {
+			guint16 o,l;
+
 			n -= 4;
-			txo_run.first = g_utf8_offset_to_pointer (str,
-				GSF_LE_GET_GUINT16 (ptr + n)) - str;
-			pango_attr_list_filter (ms_container_get_markup (
-				c, GSF_LE_GET_GUINT16 (ptr + n + 2)),
-				(PangoAttrFilterFunc) append_markup, &txo_run);
+
+			o = GSF_LE_GET_GUINT16 (ptr + n);
+			l = GSF_LE_GET_GUINT16 (ptr + n + 2);
+			XL_CHECK_CONDITION_VAL (o + l < str_len,
+						(pango_attr_list_unref (txo_run.accum),
+						 NULL));
+
+			txo_run.first = g_utf8_offset_to_pointer (str, o) - str;
+			XL_CHECK_CONDITION_VAL (txo_run.first < txo_run.last,
+						(pango_attr_list_unref (txo_run.accum),
+						 NULL));
+
+			pango_attr_list_filter (ms_container_get_markup (c, l),
+						(PangoAttrFilterFunc) append_markup,
+						&txo_run);
 			txo_run.last = txo_run.first;
 		}
 	} else {
@@ -5819,8 +5832,7 @@
 	if (txt != NULL) {
 		GOFormat *fmt = NULL;
 		if (has_markup)
-			fmt = excel_read_LABEL_markup (q, esheet,
-						       txt, str_len);
+			fmt = excel_read_LABEL_markup (q, esheet, txt, strlen (txt));
 
 		/* might free txt, do not do this until after parsing markup */
 		v = value_new_string_nocopy (txt);

Modified: trunk/plugins/excel/ms-obj.c
==============================================================================
--- trunk/plugins/excel/ms-obj.c	(original)
+++ trunk/plugins/excel/ms-obj.c	Mon Mar 16 19:50:59 2009
@@ -442,7 +442,8 @@
 	if (continue_seen) {
 		if (ms_biff_query_peek_next (q, &op) && op == BIFF_CONTINUE) {
 			ms_biff_query_next (q);
-			*markup = ms_container_read_markup (c, q->data, q->length, text);
+			*markup = ms_container_read_markup (c, q->data, q->length,
+							    text);
 		} else {
 			g_warning ("Unusual, TXO text with no formatting has 0x%x @ 0x%x", op, q->streamPos);
 		}
@@ -565,7 +566,8 @@
 		ms_obj_attr_new_ptr (MS_OBJ_ATTR_TEXT, str));
 
 	if (NULL != markup_data) {
-		markup = ms_container_read_markup (c, markup_data->data, markup_data->len, str);
+		markup = ms_container_read_markup (c, markup_data->data, markup_data->len,
+						   str);
 		g_byte_array_free (markup_data, TRUE);
 	} else if (txo_len > 0) {
 		remaining = q->data + q->length - first;
@@ -581,10 +583,12 @@
 				txo_len -= q->length;
 			}
 			first = q->data + txo_len;
-			markup = ms_container_read_markup (c, accum->data, accum->len, str);
+			markup = ms_container_read_markup (c, accum->data, accum->len,
+							   str);
 			g_byte_array_free (accum, TRUE);
 		} else {
-			markup = ms_container_read_markup (c, first, txo_len, str);
+			markup = ms_container_read_markup (c, first, txo_len,
+							   str);
 			first += txo_len;
 		}
 	}
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]