[gnumeric] xls: fuzzed file crash.

[Morten Welinder <mortenw src gnome org>]

commit 256c0f259615a090d33a43654745dc3a61f277d0
Author: Morten Welinder <terra gnome org>
Date:   Tue Nov 19 18:46:54 2013 -0500

    xls: fuzzed file crash.

 NEWS                          |    1 +
 plugins/excel/ChangeLog       |    3 +++
 plugins/excel/ms-excel-read.c |    2 ++
 3 files changed, 6 insertions(+), 0 deletions(-)
---
diff --git a/NEWS b/NEWS
index b3a103e..d81a16b 100644
--- a/NEWS
+++ b/NEWS
@@ -14,6 +14,7 @@ Morten:
        * Improve accuracy of bessel functions with large non-integer alpha.
        * Improve accuracy of ACOTH.
        * Fix fuzzed file crash.  [#708091] [#712662] [#712685] [#712700]
+         [#712708]
        * Restore sheet reordering by drag.
        * Fix BETA on win32.
        * Fix win32 registry initialization.
diff --git a/plugins/excel/ChangeLog b/plugins/excel/ChangeLog
index c13e737..debde99 100644
--- a/plugins/excel/ChangeLog
+++ b/plugins/excel/ChangeLog
@@ -1,5 +1,8 @@
 2013-11-19  Morten Welinder  <terra gnome org>
 
+       * ms-excel-read.c (excel_read_CF): Check record size.  Fixes
+       #712708.
+
        * xlsx-read-drawing.c (xlsx_style_line_end): Clear the current
        color.  Fixes #712700.
 
diff --git a/plugins/excel/ms-excel-read.c b/plugins/excel/ms-excel-read.c
index 9e077ac..3fb8e95 100644
--- a/plugins/excel/ms-excel-read.c
+++ b/plugins/excel/ms-excel-read.c
@@ -5175,6 +5175,8 @@ excel_read_CF (BiffQuery *q, ExcelReadSheet *esheet, GnmStyleConditions *sc)
        expr1_len = GSF_LE_GET_GUINT16 (q->data + 4);
        flags = GSF_LE_GET_GUINT32 (q->data + 6);
 
+       XL_CHECK_CONDITION (q->length >= 10u + expr0_len + expr1_len);
+
        d (1, {
                        gsf_mem_dump (q->data+6, 6);
                        g_printerr ("cond type = %d, op type = %d, flags = 0x%08x\n", (int)type, (int)op, 
flags);