[gnumeric] xls: fuzzed file crash.

[Morten Welinder <mortenw src gnome org>]

commit b5480b69345b3c6d56ee0ed9c9e9880bb2a08cdc
Author: Morten Welinder <terra gnome org>
Date:   Wed Nov 20 18:49:14 2013 -0500

    xls: fuzzed file crash.

 NEWS                      |    2 +-
 plugins/excel/ChangeLog   |    5 +++++
 plugins/excel/boot.c      |    2 +-
 plugins/excel/ms-escher.c |    8 ++++++--
 4 files changed, 13 insertions(+), 4 deletions(-)
---
diff --git a/NEWS b/NEWS
index d81a16b..4e9dbe9 100644
--- a/NEWS
+++ b/NEWS
@@ -14,7 +14,7 @@ Morten:
        * Improve accuracy of bessel functions with large non-integer alpha.
        * Improve accuracy of ACOTH.
        * Fix fuzzed file crash.  [#708091] [#712662] [#712685] [#712700]
-         [#712708]
+         [#712708] [#712772]
        * Restore sheet reordering by drag.
        * Fix BETA on win32.
        * Fix win32 registry initialization.
diff --git a/plugins/excel/ChangeLog b/plugins/excel/ChangeLog
index debde99..2ec5dec 100644
--- a/plugins/excel/ChangeLog
+++ b/plugins/excel/ChangeLog
@@ -1,3 +1,8 @@
+2013-11-20  Morten Welinder  <terra gnome org>
+
+       * ms-escher.c (ms_escher_get_data): Fix fuzzed file crash.  Fixes
+       #712772.  Plug leak.
+
 2013-11-19  Morten Welinder  <terra gnome org>
 
        * ms-excel-read.c (excel_read_CF): Check record size.  Fixes
diff --git a/plugins/excel/boot.c b/plugins/excel/boot.c
index 48a616a..e4251e2 100644
--- a/plugins/excel/boot.c
+++ b/plugins/excel/boot.c
@@ -60,7 +60,7 @@ GNM_PLUGIN_MODULE_HEADER;
  */
 gint ms_excel_read_debug = 0;
 gint ms_excel_pivot_debug = 0;
-gint ms_excel_escher_debug = 0;
+gint ms_excel_escher_debug = 9;
 gint ms_excel_formula_debug = 0;
 gint ms_excel_chart_debug = 0;
 gint ms_excel_write_debug = 0;
diff --git a/plugins/excel/ms-escher.c b/plugins/excel/ms-escher.c
index 9e91b6e..298fd87 100644
--- a/plugins/excel/ms-escher.c
+++ b/plugins/excel/ms-escher.c
@@ -236,11 +236,14 @@ ms_escher_get_data (MSEscherState *state,
                int len = q->length - (res - q->data);
                int counter = 0;
 
-               d (1, g_printerr ("MERGE needed (%d) which is >= %d + %d;\n",
+               d (1, g_printerr ("MERGE needed (%d) which is >= -%d + %d;\n",
                              num_bytes, offset, state->end_offset););
 
                do {
+                       int maxlen = (buffer + num_bytes) - tmp;
+                       len = MIN (len, maxlen);
                        d (1, g_printerr ("record %d) add %d bytes;\n", ++counter, len););
+
                        /* copy necessary portion of current record */
                        memcpy (tmp, res, len);
                        tmp += len;
@@ -257,7 +260,8 @@ ms_escher_get_data (MSEscherState *state,
                            q->opcode != BIFF_MS_O_DRAWING_SELECTION &&
                            q->opcode != BIFF_CHART_gelframe &&
                            q->opcode != BIFF_CONTINUE) {
-                         g_warning ("Unexpected record type 0x%x @ 0x%lx;", q->opcode, (long)q->streamPos);
+                               g_warning ("Unexpected record type 0x%x @ 0x%lx;", q->opcode, 
(long)q->streamPos);
+                               g_free (buffer);
                                return NULL;
                        }