gnumeric r17254 - in trunk: . plugins/excel

From: mortenw svn gnome org
To: svn-commits-list gnome org
Subject: gnumeric r17254 - in trunk: . plugins/excel
Date: Mon, 30 Mar 2009 00:27:55 +0000 (UTC)
Author: mortenw
Date: Mon Mar 30 00:27:55 2009
New Revision: 17254
URL: http://svn.gnome.org/viewvc/gnumeric?rev=17254&view=rev

Log:
2009-03-29  Morten Welinder  <terra gnome org>

	* ms-obj.c (ms_read_TXO): Add sanity check.

	* ms-biff.c (ms_biff_query_peek_next): Read the length field too
	and make sure there's enough left to read the data.  Fixes
	#577205.



Modified:
   trunk/NEWS
   trunk/plugins/excel/ChangeLog
   trunk/plugins/excel/ms-biff.c
   trunk/plugins/excel/ms-obj.c

Modified: trunk/NEWS
==============================================================================
--- trunk/NEWS	(original)
+++ trunk/NEWS	Mon Mar 30 00:27:55 2009
@@ -7,7 +7,7 @@
 	* Improve XIRR a bit.
 	* Fix Applix loading crash.  [#577145]
 	* Fix Lotus loading crash.  [#577156]
-	* Fix XLS loading crash.  [#577208]
+	* Fix XLS loading crash.  [#577208, #577205]
 	* Add sorted sheet list to tab menu.
 
 --------------------------------------------------------------------------

Modified: trunk/plugins/excel/ms-biff.c
==============================================================================
--- trunk/plugins/excel/ms-biff.c	(original)
+++ trunk/plugins/excel/ms-biff.c	Mon Mar 30 00:27:55 2009
@@ -385,18 +385,19 @@
 ms_biff_query_peek_next (BiffQuery *q, guint16 *opcode)
 {
 	guint8 const *data;
+	guint16 len;
 
 	g_return_val_if_fail (opcode != NULL, FALSE);
 	g_return_val_if_fail (q != NULL, FALSE);
 
-	data = gsf_input_read (q->input, 2, NULL);
+	data = gsf_input_read (q->input, 4, NULL);
 	if (data == NULL)
 		return FALSE;
 	*opcode = GSF_LE_GET_GUINT16 (data);
+	len = GSF_LE_GET_GUINT16 (data + 2);
+	gsf_input_seek (q->input, -4, G_SEEK_CUR);
 
-	gsf_input_seek (q->input, -2, G_SEEK_CUR);
-
-	return TRUE;
+	return gsf_input_remaining (q->input) >= 4 + len;
 }
 
 /**

Modified: trunk/plugins/excel/ms-obj.c
==============================================================================
--- trunk/plugins/excel/ms-obj.c	(original)
+++ trunk/plugins/excel/ms-obj.c	Mon Mar 30 00:27:55 2009
@@ -405,17 +405,22 @@
 		"At bottom", "Verticaly justified"
 	};
 
-	guint16 const options     = GSF_LE_GET_GUINT16 (q->data);
-	guint16 const orient      = GSF_LE_GET_GUINT16 (q->data + 2);
-	guint16	      text_len    = GSF_LE_GET_GUINT16 (q->data + 10);
-/*	guint16 const num_formats = GSF_LE_GET_GUINT16 (q->data + 12);*/
-	int const halign = (options >> 1) & 0x7;
-	int const valign = (options >> 4) & 0x7;
-	char         *text;
-	guint16       op;
+	guint16 options, orient, text_len;
+	int halign, valign;
+	char *text;
+	guint16 op;
 	GString *accum;
 	gboolean continue_seen = FALSE;
 
+	XL_CHECK_CONDITION_VAL (q->length >= 14, g_strdup (""));
+
+	options = GSF_LE_GET_GUINT16 (q->data);
+	orient = GSF_LE_GET_GUINT16 (q->data + 2);
+	text_len = GSF_LE_GET_GUINT16 (q->data + 10);
+/*	guint16 const num_formats = GSF_LE_GET_GUINT16 (q->data + 12);*/
+	halign = (options >> 1) & 0x7;
+	valign = (options >> 4) & 0x7;
+
 	*markup = NULL;
 	if (text_len == 0)
 		return NULL;
@@ -426,7 +431,8 @@
 		guint maxlen;
 
 		continue_seen = TRUE;
-		ms_biff_query_next (q);
+		if (q->length == 0)
+			continue;
 
 		use_utf16 = q->data[0] != 0;
 		maxlen = use_utf16 ? q->length / 2 : q->length-1;
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]