gnumeric r17259 - in trunk: . plugins/excel

[mortenw svn gnome org]

Author: mortenw
Date: Tue Mar 31 13:12:24 2009
New Revision: 17259
URL: http://svn.gnome.org/viewvc/gnumeric?rev=17259&view=rev

Log:
2009-03-31  Morten Welinder  <terra gnome org>

	* ms-excel-read.c (excel_read_CF): Add sanity checks.  Fixes
	#577399.

	* ms-biff.c (ms_biff_query_next): If the read fails, make sure
	->length is zero to match the NULL ->data.



Modified:
   trunk/NEWS
   trunk/plugins/excel/ChangeLog
   trunk/plugins/excel/ms-biff.c
   trunk/plugins/excel/ms-excel-read.c

Modified: trunk/NEWS
==============================================================================
--- trunk/NEWS	(original)
+++ trunk/NEWS	Tue Mar 31 13:12:24 2009
@@ -8,7 +8,7 @@
 	* Fix Applix loading crash.  [#577145]
 	* Fix Lotus loading crash.  [#577156]
 	* Fix XLS loading crashes.  [#577205] [#577208] [#577259] [#577260]
-	[#577348] [#577351]
+	[#577348] [#577351] [#577399]
 	* Add sorted sheet list to tab menu.
 	* Fix criticals during Lotus load.
 

Modified: trunk/plugins/excel/ms-biff.c
==============================================================================
--- trunk/plugins/excel/ms-biff.c	(original)
+++ trunk/plugins/excel/ms-biff.c	Tue Mar 31 13:12:24 2009
@@ -438,12 +438,12 @@
 	/* no biff record should be larger than around 20,000 */
 	XL_CHECK_CONDITION_VAL (len < 20000, FALSE);
 
-	q->length = len;
-	if (q->length > 0) {
+	if (len > 0) {
 		q->data = (guint8 *)gsf_input_read (q->input, q->length, NULL);
 		if (q->data == NULL)
 			return FALSE;
 	}
+	q->length = len;
 
 	if (q->encryption == MS_BIFF_CRYPTO_RC4) {
 		q->non_decrypted_data_malloced = q->data_malloced;

Modified: trunk/plugins/excel/ms-excel-read.c
==============================================================================
--- trunk/plugins/excel/ms-excel-read.c	(original)
+++ trunk/plugins/excel/ms-excel-read.c	Tue Mar 31 13:12:24 2009
@@ -4774,13 +4774,19 @@
 static void
 excel_read_CF (BiffQuery *q, ExcelReadSheet *esheet, GnmStyleConditions *sc)
 {
-	guint8 const type	= GSF_LE_GET_GUINT8  (q->data + 0);
-	guint8 const op		= GSF_LE_GET_GUINT8  (q->data + 1);
-	guint16 const expr0_len	= GSF_LE_GET_GUINT16 (q->data + 2);
-	guint16 const expr1_len	= GSF_LE_GET_GUINT16 (q->data + 4);
-	guint32 const flags	= GSF_LE_GET_GUINT32 (q->data + 6);
+	guint8 type, op;
+	guint16 expr0_len,expr1_len;
+	guint32 flags;
 	unsigned offset;
-	GnmStyleCond	cond;
+	GnmStyleCond cond;
+
+	XL_CHECK_CONDITION (q->length >= 12);
+
+	type = GSF_LE_GET_GUINT8 (q->data + 0);
+	op = GSF_LE_GET_GUINT8 (q->data + 1);
+	expr0_len = GSF_LE_GET_GUINT16 (q->data + 2);
+	expr1_len = GSF_LE_GET_GUINT16 (q->data + 4);
+	flags = GSF_LE_GET_GUINT32 (q->data + 6);
 
 	d (1, {
 		gsf_mem_dump (q->data+6, 6);
@@ -4858,6 +4864,8 @@
 		guint8  tmp8, font_flags;
 		guint8 const *data = q->data + offset + 64;
 
+		XL_CHECK_CONDITION (q->length >= 64 + 54);
+
 		if (0xFFFFFFFF != (size = GSF_LE_GET_GUINT32 (data)))
 			gnm_style_set_font_size	(cond.overlay, size / 20.);
 		if (0xFFFFFFFF != (colour = GSF_LE_GET_GUINT32 (data + 16)))