[gnumeric] xls: fix fuzzed file issue.

[Morten Welinder <mortenw src gnome org>]

commit a878cb0014a536b1caf8f88b9d92a3a58411a3d4
Author: Morten Welinder <terra gnome org>
Date:   Sat Dec 21 14:43:15 2013 -0500

    xls: fix fuzzed file issue.

 NEWS                    |    2 +-
 plugins/excel/ChangeLog |    5 +++++
 plugins/excel/ms-obj.c  |    3 ++-
 3 files changed, 8 insertions(+), 2 deletions(-)
---
diff --git a/NEWS b/NEWS
index 9d3af43..3720d24 100644
--- a/NEWS
+++ b/NEWS
@@ -14,7 +14,7 @@ Morten:
        * Avoid some overflows in IMGAMMA.
        * Fix tabulation truncation issue.
        * Fix ABR.  [#720353]
-       * Fix fuzzed file crashes.  [#720425] [#720426]
+       * Fix fuzzed file crashes.  [#720425] [#720426] [#720358]
 
 --------------------------------------------------------------------------
 Gnumeric 1.12.9
diff --git a/plugins/excel/ChangeLog b/plugins/excel/ChangeLog
index 5d6cb91..94bf4ab 100644
--- a/plugins/excel/ChangeLog
+++ b/plugins/excel/ChangeLog
@@ -1,3 +1,8 @@
+2013-12-21  Morten Welinder  <terra gnome org>
+
+       * ms-obj.c (read_pre_biff8_read_name_and_fmla): Fix and improve
+       length check.  Fixes #720358.
+
 2013-12-13  Morten Welinder  <terra gnome org>
 
        * ms-excel-read.c (excel_read_WINDOW2): Don't crash of truncated
diff --git a/plugins/excel/ms-obj.c b/plugins/excel/ms-obj.c
index 629e08c..c0c447b 100644
--- a/plugins/excel/ms-obj.c
+++ b/plugins/excel/ms-obj.c
@@ -635,9 +635,10 @@ read_pre_biff8_read_name_and_fmla (BiffQuery *q, MSContainer *c, MSObj *obj,
        guint8 const *data;
        gboolean fmla_len;
 
-       XL_CHECK_CONDITION_VAL (q->length >= offset, NULL);
+       XL_CHECK_CONDITION_VAL (q->length >= offset + 2, NULL);
        data = q->data + offset;
        fmla_len = GSF_LE_GET_GUINT16 (q->data+26);
+       XL_CHECK_CONDITION_VAL (q->length >= offset + 2 + fmla_len, NULL);
 
        if (has_name) {
                guint8 const *last = q->data + q->length;