[gnumeric] xls: fuzzed file fix.

From: Morten Welinder <mortenw src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnumeric] xls: fuzzed file fix.
Date: Mon, 1 Jun 2015 12:32:14 +0000 (UTC)
commit 6e7fe2baa22acf05d978007374d9ef2073a0aee3
Author: Morten Welinder <terra gnome org>
Date:   Mon Jun 1 08:31:52 2015 -0400

    xls: fuzzed file fix.

 NEWS                          |    2 +-
 plugins/excel/ChangeLog       |    7 +++++++
 plugins/excel/ms-excel-read.c |    7 +++++--
 3 files changed, 13 insertions(+), 3 deletions(-)
---
diff --git a/NEWS b/NEWS
index 4e93117..5892aef 100644
--- a/NEWS
+++ b/NEWS
@@ -18,7 +18,7 @@ Morten:
        * Fuzzed file fixes.  [#748595] [#748597] [#749031] [#749030]
          [#749069] [#748533] [#749118] [#749166] [#749181] [#749184]
          [#749236] [#749240] [#749234] [#749235] [#749271] [#749270]
-         [#749424] [#749917] [#749919]
+         [#749424] [#749917] [#749919] [#750043]
        * Make solver check linearity of model.
        * Fix xls saving of marker style.  [#749185]
        * Make compilation with clang work again.  [#749138]
diff --git a/plugins/excel/ChangeLog b/plugins/excel/ChangeLog
index 215d14d..65d5cc8 100644
--- a/plugins/excel/ChangeLog
+++ b/plugins/excel/ChangeLog
@@ -1,3 +1,10 @@
+2015-06-01  Morten Welinder  <terra gnome org>
+
+       * ms-excel-read.c (excel_fill_bmp_header): Don't read beyond
+       buffer.
+       (excel_read_os2bmp): Check that image length makes sense.  Fixes
+       #750043.
+
 2015-05-30  Jean Brefort  <jean brefort normalesup org>
 
        * ms-escher.c (ms_escher_read_BSE), (ms_escher_read_Blip),
diff --git a/plugins/excel/ms-excel-read.c b/plugins/excel/ms-excel-read.c
index 82255ea..dac9654 100644
--- a/plugins/excel/ms-excel-read.c
+++ b/plugins/excel/ms-excel-read.c
@@ -472,7 +472,8 @@ handle_arrow_head (SheetObject *so, const char *prop_name,
        g_object_set (so, prop_name, &arrow, NULL);
 }
 
-static void excel_fill_bmp_header(guint8 *bmphdr, guint8 *data, guint32 len)
+static void
+excel_fill_bmp_header(guint8 *bmphdr, guint8 *data, guint32 len)
 {
        guint bpp;
        guint offset;
@@ -482,7 +483,7 @@ static void excel_fill_bmp_header(guint8 *bmphdr, guint8 *data, guint32 len)
        GSF_LE_SET_GUINT32 (bmphdr + 2, len + BMP_HDR_SIZE);
        GSF_LE_SET_GUINT16 (bmphdr + 6, 0);
        GSF_LE_SET_GUINT16 (bmphdr + 8, 0);
-       bpp = GSF_LE_GET_GUINT16 (data + 18);
+       bpp = len >= 20 ? GSF_LE_GET_GUINT16 (data + 18) : 1;
        switch (bpp) {
        case 24: offset = 0;       break;
        case 8:  offset = 256 * 3; break;
@@ -4406,6 +4407,8 @@ excel_read_os2bmp (BiffQuery *q, guint32 image_len)
        gboolean ret = FALSE;
        guint8 bmphdr[BMP_HDR_SIZE];
 
+       XL_CHECK_CONDITION_VAL (q->length >= 8 && image_len < q->length - 8, NULL);
+
        loader = gdk_pixbuf_loader_new_with_type ("bmp", &err);
        if (!loader)
                return NULL;
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]