[gnumeric] xls: fuzzed file crash.

[Morten Welinder <mortenw src gnome org>]

commit f7d1e85bac3aaf11eb0c8f390a977b37931f92a1
Author: Morten Welinder <terra gnome org>
Date:   Mon Nov 11 19:11:20 2013 -0500

    xls: fuzzed file crash.

 NEWS                           |    1 +
 plugins/excel/ChangeLog        |    5 +++++
 plugins/excel/ms-excel-write.c |   10 +++++++---
 3 files changed, 13 insertions(+), 3 deletions(-)
---
diff --git a/NEWS b/NEWS
index b5c2996..358676d 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,7 @@ Morten:
        * Improve accuracy of COMBIN, PERMUT, POCHHAMMER, FACT, GAMMA.
        * Improve accuracy of bessel functions with large non-integer alpha.
        * Improve accuracy of ACOTH.
+       * Fix fuzzed file crash.  [#708091]
 
 Xabier Rodríguez Calvar:
        * Fix dialog button order. [#710378]
diff --git a/plugins/excel/ChangeLog b/plugins/excel/ChangeLog
index b77eacf..87eddd4 100644
--- a/plugins/excel/ChangeLog
+++ b/plugins/excel/ChangeLog
@@ -1,3 +1,8 @@
+2013-11-11  Morten Welinder  <terra gnome org>
+
+       * ms-excel-write.c (excel_write_ClientTextbox): Fix fuzzed file
+       crash.  [#708091]
+
 2013-10-07  Morten Welinder <terra gnome org>
 
        * Release 1.12.8
diff --git a/plugins/excel/ms-excel-write.c b/plugins/excel/ms-excel-write.c
index eb7a81a..9c1de36 100644
--- a/plugins/excel/ms-excel-write.c
+++ b/plugins/excel/ms-excel-write.c
@@ -4212,6 +4212,7 @@ excel_write_ClientTextbox (ExcelWriteState *ewb, SheetObject *so,
        int txo_len = 18;
        int draw_len = 0;
        int char_len;
+       size_t byte_len;
        int markuplen;
        BiffPut *bp = ewb->bp;
        GArray *markup = g_hash_table_lookup (ewb->cell_markup, so);
@@ -4234,7 +4235,7 @@ excel_write_ClientTextbox (ExcelWriteState *ewb, SheetObject *so,
                /* XL gets very unhappy with empty strings.  */
                label = " ";
        }
-       char_len = excel_strlen (label, NULL);
+       char_len = excel_strlen (label, &byte_len);
        GSF_LE_SET_GUINT16 (buf + 10, char_len);
        if (markup)
                markuplen = 8 + markup->len * 4;
@@ -4255,8 +4256,11 @@ excel_write_ClientTextbox (ExcelWriteState *ewb, SheetObject *so,
                int i;
 
                for (i = 0; i < n ; i++) {
-                       gint bpos = g_array_index (markup, gint, i*2);
-                       gint cpos = g_utf8_pointer_to_offset (label, label + bpos);
+                       gint bpos, cpos;
+
+                       bpos = g_array_index (markup, gint, i*2);
+                       bpos = CLAMP (bpos, 0, (int)byte_len - 1);
+                       cpos = g_utf8_pointer_to_offset (label, label + bpos);
                        GSF_LE_SET_GUINT16 (buf, cpos);
                        GSF_LE_SET_GUINT16 (buf + 2,
                                g_array_index (markup, gint, i*2+1));