[gnumeric] xls: fuzzed file fix re escher containers

[Morten Welinder <mortenw src gnome org>]

commit c9fecc9e71eec7fd13389b16948bdb33ff6798e1
Author: Morten Welinder <terra gnome org>
Date:   Mon Jun 22 14:21:39 2015 -0400

    xls: fuzzed file fix re escher containers

 NEWS                      |    2 +-
 plugins/excel/ChangeLog   |    5 +++++
 plugins/excel/ms-escher.c |   10 +++++++++-
 3 files changed, 15 insertions(+), 2 deletions(-)
---
diff --git a/NEWS b/NEWS
index 4dc36a9..79f8c68 100644
--- a/NEWS
+++ b/NEWS
@@ -28,7 +28,7 @@ Morten:
          [#749236] [#749240] [#749234] [#749235] [#749271] [#749270]
          [#749424] [#749917] [#749919] [#750043] [#750044] [#750046]
          [#750811] [#750810] [#750857] [#750864] [#750862] [#750858]
-         [#751126] [#751254] [#751253] [#750851]
+         [#751126] [#751254] [#751253] [#750851] [#751258]
        * Make solver check linearity of model.
        * Fix xls saving of marker style.  [#749185]
        * Make compilation with clang work again.  [#749138]
diff --git a/plugins/excel/ChangeLog b/plugins/excel/ChangeLog
index 3a55225..cf604b5 100644
--- a/plugins/excel/ChangeLog
+++ b/plugins/excel/ChangeLog
@@ -1,3 +1,8 @@
+2015-06-22  Morten Welinder  <terra gnome org>
+
+       * ms-escher.c (ms_escher_read_container): Catch crazy length field
+       causing a loop.  Fixes #751258.
+
 2015-06-22  Jean Brefort  <jean brefort normalesup org>
 
        * ms-chart.c (3dbarshape), (3d), (ai), (alruns), (area),
diff --git a/plugins/excel/ms-escher.c b/plugins/excel/ms-escher.c
index 791a1d7..907d504 100644
--- a/plugins/excel/ms-escher.c
+++ b/plugins/excel/ms-escher.c
@@ -2085,6 +2085,7 @@ ms_escher_read_container (MSEscherState *state, MSEscherHeader *container,
                gboolean (*handler)(MSEscherState *state,
                                    MSEscherHeader *container) = NULL;
                gboolean needs_free;
+               guint32 datalen;
 
                guint8 const *data = ms_escher_get_data (state, h.offset,
                        COMMON_HEADER_LEN, &needs_free);
@@ -2096,9 +2097,16 @@ ms_escher_read_container (MSEscherState *state, MSEscherHeader *container,
 
                tmp     = GSF_LE_GET_GUINT16 (data + 0);
                h.fbt   = GSF_LE_GET_GUINT16 (data + 2);
+               datalen = GSF_LE_GET_GUINT32 (data + 4);
+
+               if (datalen >= 0xfffffff0) {
+                       g_warning ("Crazy data length in escher record");
+                       ms_escher_header_release (&h);
+                       return TRUE;
+               }
 
                /* Include the length of this header in the record size */
-               h.len      = GSF_LE_GET_GUINT32 (data + 4) + COMMON_HEADER_LEN;
+               h.len      = datalen + COMMON_HEADER_LEN;
                h.ver      = tmp & 0x0f;
                h.instance = (tmp >> 4) & 0xfff;