[gnumeric] xls: another fuzz case.

From: Morten Welinder <mortenw src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnumeric] xls: another fuzz case.
Date: Sun, 30 Jun 2013 15:24:37 +0000 (UTC)

commit 973f4e08fd8e2108643095fe4a1695d37a1401b9
Author: Morten Welinder <terra gnome org>
Date:   Sun Jun 30 11:24:23 2013 -0400

    xls: another fuzz case.

 NEWS                          |    4 ++--
 plugins/excel/ChangeLog       |    5 +++++
 plugins/excel/ms-excel-read.c |    5 ++++-
 3 files changed, 11 insertions(+), 3 deletions(-)
---
diff --git a/NEWS b/NEWS
index 0ecb7a5..c4ab308 100644
--- a/NEWS
+++ b/NEWS
@@ -10,11 +10,11 @@ Andreas:
        * Fix import of sxc files. [#703249]
 
 Jean:
-       * Don't attempt to add a path item when there is no path objecte. [#703052]
+       * Don't attempt to add a path item when there is no path object. [#703052]
 
 Morten:
        * Improve accuracy for 2-argument ERF.
-       * Fix crashes on corrupted files.  [#703143]
+       * Fix crashes on corrupted files.  [#703143] [#703307]
 
 --------------------------------------------------------------------------
 Gnumeric 1.12.3
diff --git a/plugins/excel/ChangeLog b/plugins/excel/ChangeLog
index c0b7623..7f4e3de 100644
--- a/plugins/excel/ChangeLog
+++ b/plugins/excel/ChangeLog
@@ -1,3 +1,8 @@
+2013-06-30  Morten Welinder  <terra gnome org>
+
+       * ms-excel-read.c (excel_read_BOUNDSHEET): Check record length.
+       Fixes #703307.
+
 2013-06-27  Andreas J. Guelzow <aguelzow pyrshep ca>
 
        * xlsx-read-drawing.c (xlsx_axis_crosses_at): check for null
diff --git a/plugins/excel/ms-excel-read.c b/plugins/excel/ms-excel-read.c
index 5f1d8d0..f78bcd6 100644
--- a/plugins/excel/ms-excel-read.c
+++ b/plugins/excel/ms-excel-read.c
@@ -1481,11 +1481,14 @@ excel_read_BOUNDSHEET (BiffQuery *q, GnmXLImporter *importer)
 {
        BiffBoundsheetData *bs;
        char const *default_name = "Unknown%d";
+       gboolean oldstyle = (importer->ver <= MS_BIFF_V4);
+
+       XL_CHECK_CONDITION (q->length >= (oldstyle ? 1 : 6));
 
        bs = g_new0 (BiffBoundsheetData, 1);
        bs->gnm_type = GNM_SHEET_DATA;
 
-       if (importer->ver <= MS_BIFF_V4) {
+       if (oldstyle) {
                bs->streamStartPos = 0; /* Excel 4 doesn't tell us */
                bs->type = MS_BIFF_TYPE_Worksheet;
                default_name = _("Sheet%d");

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]