[gnumeric] MUNIT: protect against overflow.

[Morten Welinder <mortenw src gnome org>]

commit 4e1aa5dca9df939e575748091a657c87bcf789af
Author: Morten Welinder <terra gnome org>
Date:   Thu Jul 29 09:41:50 2010 -0400

    MUNIT: protect against overflow.

 plugins/fn-math/ChangeLog   |    4 ++++
 plugins/fn-math/functions.c |   13 ++++++++++---
 2 files changed, 14 insertions(+), 3 deletions(-)
---
diff --git a/plugins/fn-math/ChangeLog b/plugins/fn-math/ChangeLog
index bb4796c..d324fcb 100644
--- a/plugins/fn-math/ChangeLog
+++ b/plugins/fn-math/ChangeLog
@@ -2,6 +2,10 @@
 
 	* Release 1.10.8
 
+2010-07-29  Morten Welinder  <terra gnome org>
+
+	* functions.c (gnumeric_munit): Protect against overflow.
+
 2010-07-23 Andreas J. Guelzow <aguelzow pyrshep ca>
 
 	* functions.c (help_trunc): fix argument description
diff --git a/plugins/fn-math/functions.c b/plugins/fn-math/functions.c
index a1005ca..20b5666 100644
--- a/plugins/fn-math/functions.c
+++ b/plugins/fn-math/functions.c
@@ -2780,13 +2780,20 @@ static GnmValue *
 gnumeric_munit (GnmFuncEvalInfo *ei, GnmValue const * const *argv)
 {
 	gnm_float n = value_get_as_float (argv[0]);
-	gint ni = (int) n, c;
-
+	gint c, ni;
 	GnmValue *res;
 
 	if (n <= 0)
-		return value_new_error_NUM (ei->pos);;
+		return value_new_error_NUM (ei->pos);
+
+	/*
+	 * This provides some protection against bogus sizes and
+	 * running out of memory.
+	 */
+	if (n * n >= G_MAXINT)
+		return value_new_error_NUM (ei->pos);
 
+	ni = (int)n;
 	res = value_new_array (ni, ni);
 	for (c = 0; c < ni; ++c) {
 		value_release (res->v_array.vals[c][c]);