gnumeric r17263 - in trunk: . plugins/excel

[mortenw svn gnome org]

Author: mortenw
Date: Tue Mar 31 19:09:41 2009
New Revision: 17263
URL: http://svn.gnome.org/viewvc/gnumeric?rev=17263&view=rev

Log:
2009-03-31  Morten Welinder  <terra gnome org>

	* ms-obj.c (read_pre_biff8_read_name_and_fmla): Add sanity checks.
	(ms_obj_read_pre_biff8_obj): Add and fix sanity checks.  Fixes
	#577504.



Modified:
   trunk/NEWS
   trunk/plugins/excel/ChangeLog
   trunk/plugins/excel/ms-obj.c

Modified: trunk/NEWS
==============================================================================
--- trunk/NEWS	(original)
+++ trunk/NEWS	Tue Mar 31 19:09:41 2009
@@ -8,7 +8,7 @@
 	* Fix Applix loading crash.  [#577145]
 	* Fix Lotus loading crash.  [#577156]
 	* Fix XLS loading crashes.  [#577205] [#577208] [#577259] [#577260]
-	[#577348] [#577351] [#577399] [#577400] [#577503]
+	[#577348] [#577351] [#577399] [#577400] [#577503] [#577504]
 	* Add sorted sheet list to tab menu.
 	* Fix criticals during Lotus load.
 

Modified: trunk/plugins/excel/ms-obj.c
==============================================================================
--- trunk/plugins/excel/ms-obj.c	(original)
+++ trunk/plugins/excel/ms-obj.c	Tue Mar 31 19:09:41 2009
@@ -625,8 +625,12 @@
 read_pre_biff8_read_name_and_fmla (BiffQuery *q, MSContainer *c, MSObj *obj,
 				   gboolean has_name, unsigned offset)
 {
-	guint8 const *data = q->data + offset;
-	gboolean const fmla_len = GSF_LE_GET_GUINT16 (q->data+26);
+	guint8 const *data;
+	gboolean fmla_len;
+
+	XL_CHECK_CONDITION_VAL (q->length >= offset, NULL);
+	data = q->data + offset;
+	fmla_len = GSF_LE_GET_GUINT16 (q->data+26);
 
 	if (has_name) {
 		guint8 const *last = q->data + q->length;
@@ -653,12 +657,16 @@
 	guint16 peek_op, tmp, len;
 	unsigned txo_len, if_empty;
 	guint8 const *data;
-	gboolean const has_name = GSF_LE_GET_GUINT16 (q->data+30) != 0; /* undocumented */
+	gboolean has_name;
+	guint8 *anchor;
+
+	XL_CHECK_CONDITION_VAL (q->length >= 32, TRUE);
 
+	has_name = GSF_LE_GET_GUINT16 (q->data+30) != 0; /* undocumented */
 #if 0
 	guint16 const flags = GSF_LE_GET_GUINT16(q->data+8);
 #endif
-	guint8 *anchor = g_malloc (MS_ANCHOR_SIZE);
+	anchor = g_malloc (MS_ANCHOR_SIZE);
 	memcpy (anchor, q->data+8, MS_ANCHOR_SIZE);
 	ms_obj_attr_bag_insert (obj->attrs,
 		ms_obj_attr_new_ptr (MS_OBJ_ATTR_ANCHOR, anchor));
@@ -670,7 +678,7 @@
 	case 0: /* group */
 		break;
 	case 1: /* line */
-		g_return_val_if_fail (q->data + 41 <= last, TRUE);
+		XL_CHECK_CONDITION_VAL (q->data + 41 <= last, TRUE);
 		tmp = GSF_LE_GET_GUINT8 (q->data+38) & 0x0F;
 		if (tmp > 0)
 			ms_obj_attr_bag_insert (obj->attrs,
@@ -698,7 +706,7 @@
 	case 3: /* oval */
 	case 4: /* arc */
 	case 6: /* textbox */
-		g_return_val_if_fail (q->data + 36 <= last, TRUE);
+		XL_CHECK_CONDITION_VAL (q->data + 36 <= last, TRUE);
 		ms_obj_attr_bag_insert (obj->attrs,
 			ms_obj_attr_new_uint (MS_OBJ_ATTR_FILL_BACKGROUND,
 				0x80000000 | GSF_LE_GET_GUINT8 (q->data+34)));