[gnumeric] xls: fix another bogus-xls crash.

[Morten Welinder <mortenw src gnome org>]

commit 06fb7988aa3d2560b07bfd6eb16a5f417f0ed310
Author: Morten Welinder <terra gnome org>
Date:   Thu Jun 13 14:16:01 2013 -0400

    xls: fix another bogus-xls crash.

 NEWS                          |    2 +-
 plugins/excel/ChangeLog       |    4 ++++
 plugins/excel/ms-excel-read.c |   31 ++++++++++++++++++++-----------
 3 files changed, 25 insertions(+), 12 deletions(-)
---
diff --git a/NEWS b/NEWS
index b8a19fe..deb7370 100644
--- a/NEWS
+++ b/NEWS
@@ -52,7 +52,7 @@ Morten:
        * Introspection fixes.
        * Fix xls/biff5 link export.  [#701604]
        * Workaround problems with automake 1.13.
-       * Fix crash on bogus xls file.  [#702101]
+       * Fix crashes on bogus xls file.  [#702101] [#702182]
 
 --------------------------------------------------------------------------
 Gnumeric 1.12.2
diff --git a/plugins/excel/ChangeLog b/plugins/excel/ChangeLog
index ecb4747..5480d3a 100644
--- a/plugins/excel/ChangeLog
+++ b/plugins/excel/ChangeLog
@@ -1,3 +1,7 @@
+2013-06-13  Morten Welinder  <terra gnome org>
+
+       * ms-excel-read.c (excel_read_COLINFO): Fix crash.  [#702182]
+
 2013-06-13  Jean Brefort  <jean brefort normalesup org>
 
        * ms-chart.c (end): don't crash when exchanging missing axes. [#702126]
diff --git a/plugins/excel/ms-excel-read.c b/plugins/excel/ms-excel-read.c
index 937aa5f..d56b6bc 100644
--- a/plugins/excel/ms-excel-read.c
+++ b/plugins/excel/ms-excel-read.c
@@ -4313,17 +4313,26 @@ excel_read_COLINFO (BiffQuery *q, ExcelReadSheet *esheet)
 {
        int i;
        double scale, width;
-       guint16 const  firstcol   = GSF_LE_GET_GUINT16 (q->data);
-       guint16        lastcol    = GSF_LE_GET_GUINT16 (q->data + 2);
-       int            charwidths = GSF_LE_GET_GUINT16 (q->data + 4);
-       guint16 const  xf         = GSF_LE_GET_GUINT16 (q->data + 6);
-       guint16 const  options    = GSF_LE_GET_GUINT16 (q->data + 8);
-       gboolean       hidden     = (options & 0x0001) != 0;
-       gboolean const customWidth= (options & 0x0002) != 0;    /* undocumented */
-       gboolean const bestFit    = (options & 0x0004) != 0;    /* undocumented */
-       gboolean const collapsed  = (options & 0x1000) != 0;
-       unsigned const outline_level = (unsigned)((options >> 8) & 0x7);
-       XL_font_width const *spec = xl_find_fontspec (esheet, &scale);
+       guint16 firstcol, lastcol;
+       int charwidths;
+       guint16 xf, options;
+       gboolean hidden, customWidth, bestFit, collapsed;
+       unsigned outline_level;
+       XL_font_width const *spec;
+
+       XL_CHECK_CONDITION (q->length >= 10);
+
+       firstcol = GSF_LE_GET_GUINT16 (q->data);
+       lastcol = GSF_LE_GET_GUINT16 (q->data + 2);
+       charwidths = GSF_LE_GET_GUINT16 (q->data + 4);
+       xf = GSF_LE_GET_GUINT16 (q->data + 6);
+       options = GSF_LE_GET_GUINT16 (q->data + 8);
+       hidden = (options & 0x0001) != 0;
+       customWidth = (options & 0x0002) != 0;  /* undocumented */
+       bestFit = (options & 0x0004) != 0;      /* undocumented */
+       collapsed  = (options & 0x1000) != 0;
+       outline_level = (unsigned)((options >> 8) & 0x7);
+       spec = xl_find_fontspec (esheet, &scale);
 
        XL_CHECK_CONDITION (firstcol < gnm_sheet_get_max_cols (esheet->sheet));
        g_return_if_fail (spec != NULL);