[gnumeric] xml: avoid near-infitely loop for bogus column/row info.

[Morten Welinder <mortenw src gnome org>]

commit 04f168dbeb2482d6bf15fe256f396d90c97db729
Author: Morten Welinder <terra gnome org>
Date:   Thu Aug 5 13:38:21 2010 -0400

    xml: avoid near-infitely loop for bogus column/row info.

 ChangeLog          |    1 +
 src/xml-sax-read.c |    7 +++++--
 2 files changed, 6 insertions(+), 2 deletions(-)
---
diff --git a/ChangeLog b/ChangeLog
index 56a0f24..40e7622 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,7 @@
 
 	* src/xml-sax-read.c (xml_sax_must_have_sheet): New function.  Use
 	heavily throughout the parser.  Fixes #626043.
+	(xml_sax_colrow): Avoid near-infinite loop.
 
 2010-08-04  Morten Welinder  <terra gnome org>
 
diff --git a/src/xml-sax-read.c b/src/xml-sax-read.c
index f41853e..0ff0085 100644
--- a/src/xml-sax-read.c
+++ b/src/xml-sax-read.c
@@ -1273,8 +1273,7 @@ xml_sax_colrow (GsfXMLIn *xin, xmlChar const **attrs)
 	int hidden = 0, hard_size = 0, is_collapsed = 0, outline_level = 0;
 	int count = 1;
 	gboolean const is_col = xin->node->user_data.v_bool;
-
-	xml_sax_must_have_sheet (state);
+	Sheet *sheet = xml_sax_must_have_sheet (state);
 
 	maybe_update_progress (xin);
 
@@ -1301,6 +1300,10 @@ xml_sax_colrow (GsfXMLIn *xin, xmlChar const **attrs)
 		}
 	}
 
+	XML_CHECK (pos >= 0 && pos < colrow_max (is_col, sheet));
+	XML_CHECK (count >= 1);
+	XML_CHECK (count <= colrow_max (is_col, sheet) - pos);
+
 	g_return_if_fail (cri != NULL && size > -1.);
 	cri->hard_size = hard_size;
 	cri->visible = !hidden;