[gnumeric] xls: corrupted file fix.

[Morten Welinder <mortenw src gnome org>]

commit 88dccb51c89f144f434c2954480c31123c1adc81
Author: Morten Welinder <terra gnome org>
Date:   Wed Aug 14 19:49:56 2013 -0400

    xls: corrupted file fix.

 NEWS                         |    2 +-
 plugins/excel/ChangeLog      |    5 +++++
 plugins/excel/ms-container.c |    1 +
 3 files changed, 7 insertions(+), 1 deletions(-)
---
diff --git a/NEWS b/NEWS
index e90a81f..6d29daa 100644
--- a/NEWS
+++ b/NEWS
@@ -34,7 +34,7 @@ Jean:
 Morten:
        * Fix crazy parsing problem.  [#704109] [#704140]
        * Fix crashes on corrupted files.  [#704102] [#704004] [#704325]
-       [#704562]
+       [#704562] [#705866]
        * Fix conditional format problem.  [#704445]
        * Fix R1C1 parsing issue.  [#705637]
        * Improve handling of large-area conditional styles.
diff --git a/plugins/excel/ChangeLog b/plugins/excel/ChangeLog
index af8d5e4..ff0f97a 100644
--- a/plugins/excel/ChangeLog
+++ b/plugins/excel/ChangeLog
@@ -1,3 +1,8 @@
+2013-08-14  Morten Welinder  <terra gnome org>
+
+       * ms-container.c (ms_container_read_markup): Add/reinstate bounds
+       check.  Fixes #705866.
+
 2013-08-05  Andreas J. Guelzow <aguelzow pyrshep ca>
 
        * excel-xml-read.c (xl_xml_cell_start): remember how many cols
diff --git a/plugins/excel/ms-container.c b/plugins/excel/ms-container.c
index 2a7dfda..5f9938a 100644
--- a/plugins/excel/ms-container.c
+++ b/plugins/excel/ms-container.c
@@ -273,6 +273,7 @@ ms_container_read_markup (MSContainer const *c,
                guint16 o = GSF_LE_GET_GUINT16 (data + txo_len);
                guint16 idx = GSF_LE_GET_GUINT16 (data + txo_len + 2);
 
+               XL_CHECK_CONDITION_VAL (o <= str_len, txo_run.accum);
                txo_run.first = g_utf8_offset_to_pointer (str, o) - str;
                XL_CHECK_CONDITION_VAL (txo_run.first < txo_run.last, txo_run.accum);