[gnumeric] xlsx, xls: fuzzed file fix re pivot caches.

From: Morten Welinder <mortenw src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnumeric] xlsx, xls: fuzzed file fix re pivot caches.
Date: Sat, 20 Jun 2015 19:15:21 +0000 (UTC)
commit 293e04f485c21b467e41149e9ab27ba942b918e4
Author: Morten Welinder <terra gnome org>
Date:   Sat Jun 20 15:15:11 2015 -0400

    xlsx, xls: fuzzed file fix re pivot caches.

 ChangeLog                       |    7 +++++++
 NEWS                            |    2 +-
 plugins/excel/ChangeLog         |    7 +++++++
 plugins/excel/xls-read-pivot.c  |    2 +-
 plugins/excel/xlsx-read-pivot.c |    6 +++---
 plugins/excel/xlsx-read.c       |    2 +-
 src/go-data-cache.c             |   12 ++++++++++--
 7 files changed, 30 insertions(+), 8 deletions(-)
---
diff --git a/ChangeLog b/ChangeLog
index 6c33d6a..4425de4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2015-06-20  Morten Welinder  <terra gnome org>
+
+       * src/go-data-cache.c (go_data_cache_records_set_size): Check for
+       overflow.
+       (go_data_cache_records_fetch_index): If resizing failed return
+       NULL early.
+
 2015-06-18  Andreas J. Guelzow <aguelzow pyrshep ca>
 
        * src/parse-util.h (_GnmConventions): add union_char field
diff --git a/NEWS b/NEWS
index 3f50210..da474b2 100644
--- a/NEWS
+++ b/NEWS
@@ -27,7 +27,7 @@ Morten:
          [#749236] [#749240] [#749234] [#749235] [#749271] [#749270]
          [#749424] [#749917] [#749919] [#750043] [#750044] [#750046]
          [#750811] [#750810] [#750857] [#750864] [#750862] [#750858]
-         [#751126] [#751254] [#751253]
+         [#751126] [#751254] [#751253] [#750851]
        * Make solver check linearity of model.
        * Fix xls saving of marker style.  [#749185]
        * Make compilation with clang work again.  [#749138]
diff --git a/plugins/excel/ChangeLog b/plugins/excel/ChangeLog
index 786b271..0769474 100644
--- a/plugins/excel/ChangeLog
+++ b/plugins/excel/ChangeLog
@@ -1,5 +1,12 @@
 2015-06-20  Morten Welinder  <terra gnome org>
 
+       * xlsx-read.c (attr_uint): Typo.
+
+       * xls-read-pivot.c (xls_read_pivot_cache): Don't trust large
+       record counts.
+       * xlsx-read-pivot.c (xlsx_CT_pivotCacheRecords): Ditto.  Also read
+       count as unsigned.
+
        * ms-chart.c (trendlimits): Bail if we don't have a series.  Fixes
        #751253.
 
diff --git a/plugins/excel/xls-read-pivot.c b/plugins/excel/xls-read-pivot.c
index e9480ba..9d0239e 100644
--- a/plugins/excel/xls-read-pivot.c
+++ b/plugins/excel/xls-read-pivot.c
@@ -417,7 +417,7 @@ xls_read_pivot_cache (XLSReadPivot *s, BiffQuery *q)
                        return FALSE;
                }
 
-       go_data_cache_import_start (s->cache, num_records);
+       go_data_cache_import_start (s->cache, MIN (num_records, 10000u));
        record_count = 0;
        while (ms_biff_query_peek_next (q, &opcode) && opcode != BIFF_EOF) {
                switch (opcode) {
diff --git a/plugins/excel/xlsx-read-pivot.c b/plugins/excel/xlsx-read-pivot.c
index 551bf3d..7d353c4 100644
--- a/plugins/excel/xlsx-read-pivot.c
+++ b/plugins/excel/xlsx-read-pivot.c
@@ -892,15 +892,15 @@ static void
 xlsx_CT_pivotCacheRecords (GsfXMLIn *xin, xmlChar const **attrs)
 {
        XLSXReadState *state = (XLSXReadState *)xin->user_state;
-       int n = 0;
+       unsigned int n = 0;
 
        for (; attrs != NULL && attrs[0] && attrs[1] ; attrs += 2) {
-               if (attr_int (xin, attrs, "count", &n))
+               if (attr_uint (xin, attrs, "count", &n))
                        ;
        }
 
        state->pivot.record_count = 0;
-       go_data_cache_import_start (state->pivot.cache, n);
+       go_data_cache_import_start (state->pivot.cache, MIN (n, 10000u));
 }
 
 static GsfXMLInNode const xlsx_pivot_cache_records_dtd[] = {
diff --git a/plugins/excel/xlsx-read.c b/plugins/excel/xlsx-read.c
index 3aa3358..705542c 100644
--- a/plugins/excel/xlsx-read.c
+++ b/plugins/excel/xlsx-read.c
@@ -523,7 +523,7 @@ attr_uint (GsfXMLIn *xin, xmlChar const **attrs,
        tmp = strtoul (attrs[1], &end, 10);
        if (errno == ERANGE || tmp != (unsigned)tmp)
                return xlsx_warning (xin,
-                       _("Unisgned integer '%s' is out of range, for attribute %s"),
+                       _("Unsigned integer '%s' is out of range, for attribute %s"),
                        attrs[1], target);
        if (*end)
                return xlsx_warning (xin,
diff --git a/src/go-data-cache.c b/src/go-data-cache.c
index 2b7f6d1..e8522a8 100644
--- a/src/go-data-cache.c
+++ b/src/go-data-cache.c
@@ -47,7 +47,11 @@ enum {
 static void
 go_data_cache_records_set_size (GODataCache *cache, unsigned int n)
 {
-       int expand = n - cache->records_allocated;
+       int expand;
+
+       g_return_if_fail (n < G_MAXUINT / cache->record_size);
+
+       expand = n - cache->records_allocated;
        if (0 == expand)
                return;
 
@@ -61,8 +65,12 @@ go_data_cache_records_set_size (GODataCache *cache, unsigned int n)
 static guint8 *
 go_data_cache_records_fetch_index (GODataCache *cache, unsigned i)
 {
-       if (cache->records_allocated <= i)
+       if (cache->records_allocated <= i) {
                go_data_cache_records_set_size (cache, i+128);
+               if (cache->records_allocated <= i)
+                       return NULL;
+       }
+
        if (cache->records_len <= i)
                cache->records_len = i + 1;
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]