[gnumeric] xlx: fuzzed file fix.

From: Morten Welinder <mortenw src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnumeric] xlx: fuzzed file fix.
Date: Tue, 28 Apr 2015 22:36:51 +0000 (UTC)

commit 0453475d050f59005e7493796637119511920139
Author: Morten Welinder <terra gnome org>
Date:   Tue Apr 28 18:36:06 2015 -0400

    xlx: fuzzed file fix.

 NEWS                          |    2 +-
 plugins/excel/ChangeLog       |    5 +++++
 plugins/excel/ms-excel-read.c |    6 ++++--
 3 files changed, 10 insertions(+), 3 deletions(-)
---
diff --git a/NEWS b/NEWS
index e347f7b..c3632a6 100644
--- a/NEWS
+++ b/NEWS
@@ -13,7 +13,7 @@ Morten:
        * Fix xlsx save crash related to shared strings.  [#748477]
        * Solver code refactoring.
        * Plug leaks.
-       * Fuzzed file fixes.  [#748595]
+       * Fuzzed file fixes.  [#748595]  [#748597]
 
 --------------------------------------------------------------------------
 Gnumeric 1.12.22
diff --git a/plugins/excel/ChangeLog b/plugins/excel/ChangeLog
index 975161f..28d4f9e 100644
--- a/plugins/excel/ChangeLog
+++ b/plugins/excel/ChangeLog
@@ -1,3 +1,8 @@
+2015-04-28  Morten Welinder  <terra gnome org>
+
+       * ms-excel-read.c (sst_read_string): Prevent string overrun.
+       Fixes #748597.
+
 2015-04-26  Morten Welinder  <terra gnome org>
 
        * xlsx-write.c (xlsx_shared_string): Retry hash lookup when we
diff --git a/plugins/excel/ms-excel-read.c b/plugins/excel/ms-excel-read.c
index d1e974f..d8ec88b 100644
--- a/plugins/excel/ms-excel-read.c
+++ b/plugins/excel/ms-excel-read.c
@@ -1292,11 +1292,13 @@ sst_read_string (BiffQuery *q, MSContainer const *c,
                        offset = ms_biff_query_bound_check (q, offset, 4);
                        if (offset == (guint32)-1) {
                                g_free (res_str);
+                               pango_attr_list_unref (txo_run.accum);
                                return offset;
                        }
                        if ((q->length - offset) >= 4) {
-                               txo_run.last = g_utf8_offset_to_pointer (res_str,
-                                                                        GSF_LE_GET_GUINT16 (q->data+offset)) 
- res_str;
+                               guint16 o = GSF_LE_GET_GUINT16 (q->data + offset);
+                               size_t l = strlen (res_str);
+                               txo_run.last = g_utf8_offset_to_pointer (res_str, MIN (o, l)) - res_str;
                                if (prev_markup != NULL)
                                        pango_attr_list_filter (prev_markup,
                                                                (PangoAttrFilterFunc) append_markup, 
&txo_run);

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]