[gnumeric] xls: fuzzed file fix re shared string table.

From: Morten Welinder <mortenw src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnumeric] xls: fuzzed file fix re shared string table.
Date: Fri, 12 Jun 2015 00:24:53 +0000 (UTC)

commit 1b7801353352bb0ad84887e555f7466580d0bd8f
Author: Morten Welinder <terra gnome org>
Date:   Thu Jun 11 20:25:00 2015 -0400

    xls: fuzzed file fix re shared string table.

 NEWS                          |    2 +-
 plugins/excel/ChangeLog       |    1 +
 plugins/excel/ms-excel-read.c |    7 ++++---
 3 files changed, 6 insertions(+), 4 deletions(-)
---
diff --git a/NEWS b/NEWS
index 719bb7b..ccc35ab 100644
--- a/NEWS
+++ b/NEWS
@@ -21,7 +21,7 @@ Morten:
          [#749069] [#748533] [#749118] [#749166] [#749181] [#749184]
          [#749236] [#749240] [#749234] [#749235] [#749271] [#749270]
          [#749424] [#749917] [#749919] [#750043] [#750044] [#750046]
-         [#750811]
+         [#750811] [#750810]
        * Make solver check linearity of model.
        * Fix xls saving of marker style.  [#749185]
        * Make compilation with clang work again.  [#749138]
diff --git a/plugins/excel/ChangeLog b/plugins/excel/ChangeLog
index 9be2a47..8727915 100644
--- a/plugins/excel/ChangeLog
+++ b/plugins/excel/ChangeLog
@@ -2,6 +2,7 @@
 
        * ms-excel-read.c (excel_read_AUTOFILTER): Handle invalid filter
        condition.  Fixes #750811.
+       (excel_read_SST): Fuzzed file fix.  #750810.
 
 2015-06-01  Morten Welinder  <terra gnome org>
 
diff --git a/plugins/excel/ms-excel-read.c b/plugins/excel/ms-excel-read.c
index 3c6cc65..7014049 100644
--- a/plugins/excel/ms-excel-read.c
+++ b/plugins/excel/ms-excel-read.c
@@ -1308,7 +1308,7 @@ static void
 excel_read_SST (BiffQuery *q, GnmXLImporter *importer)
 {
        guint32 offset;
-       unsigned i;
+       unsigned i, sst_len;
 
        XL_CHECK_CONDITION (q->length >= 8);
 
@@ -1319,9 +1319,10 @@ excel_read_SST (BiffQuery *q, GnmXLImporter *importer)
                        gsf_mem_dump (q->data, q->length);
                });
 
-       importer->sst_len = GSF_LE_GET_GUINT32 (q->data + 4);
-       XL_CHECK_CONDITION (importer->sst_len < INT_MAX / sizeof (ExcelStringEntry));
+       sst_len = GSF_LE_GET_GUINT32 (q->data + 4);
+       XL_CHECK_CONDITION (sst_len < INT_MAX / sizeof (ExcelStringEntry));
 
+       importer->sst_len = sst_len;
        importer->sst = g_new0 (ExcelStringEntry, importer->sst_len);
 
        offset = 8;

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]