[gnumeric] xlsx: fix fuzzed file crash.

From: Morten Welinder <mortenw src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnumeric] xlsx: fix fuzzed file crash.
Date: Fri, 13 Dec 2013 21:29:16 +0000 (UTC)

commit ac264f021b126fa23c46d388095b67f2a2b5a950
Author: Morten Welinder <terra gnome org>
Date:   Fri Dec 13 16:28:53 2013 -0500

    xlsx: fix fuzzed file crash.

 NEWS                      |    1 +
 plugins/excel/ChangeLog   |    5 +++++
 plugins/excel/xlsx-read.c |    5 +++--
 3 files changed, 9 insertions(+), 2 deletions(-)
---
diff --git a/NEWS b/NEWS
index 883dbf4..ec79435 100644
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,7 @@ Morten:
        * Avoid some overflows in IMGAMMA.
        * Fix tabulation truncation issue.
        * Fix ABR.  [#720353]
+       * Fix fuzzed file crash.  [#720425]
 
 --------------------------------------------------------------------------
 Gnumeric 1.12.9
diff --git a/plugins/excel/ChangeLog b/plugins/excel/ChangeLog
index 92bf50a..c612ebf 100644
--- a/plugins/excel/ChangeLog
+++ b/plugins/excel/ChangeLog
@@ -1,3 +1,8 @@
+2013-12-13  Morten Welinder  <terra gnome org>
+
+       * xlsx-read.c (xlsx_cell_end): Make sure state->texpr ends up
+       NULL.  Fixes #720425.
+
 2013-11-28  Morten Welinder <terra gnome org>
 
        * Release 1.12.9
diff --git a/plugins/excel/xlsx-read.c b/plugins/excel/xlsx-read.c
index 4b5d99f..3eda83a 100644
--- a/plugins/excel/xlsx-read.c
+++ b/plugins/excel/xlsx-read.c
@@ -1335,7 +1335,7 @@ xlsx_cell_expr_begin (GsfXMLIn *xin, xmlChar const **attrs)
                        has_range = TRUE;
 
        state->shared_id = NULL;
-       if (is_shared &&  NULL != shared_id) {
+       if (is_shared && NULL != shared_id) {
                if (!has_range)
                        state->texpr = g_hash_table_lookup (state->shared_exprs, shared_id);
                if (NULL != state->texpr)
@@ -1446,9 +1446,10 @@ xlsx_cell_end (GsfXMLIn *xin, G_GNUC_UNUSED GsfXMLBlob *blob)
                        gnm_cell_set_expr (cell, state->texpr);
                        gnm_expr_top_unref (state->texpr);
                }
-               state->texpr = NULL;
        } else if (NULL != state->val)
                gnm_cell_assign_value (cell, state->val);
+
+       state->texpr = NULL;
        state->val = NULL;
 }

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]