[gnumeric] Lotus: fuzzed file fix re lotus cell references.

[Morten Welinder <mortenw src gnome org>]

commit 68e4f65a17f14b7094d2792099ca93df9f390454
Author: Morten Welinder <terra gnome org>
Date:   Sun Jun 28 21:10:33 2015 -0400

    Lotus: fuzzed file fix re lotus cell references.

 NEWS                              |    2 +-
 plugins/lotus-123/ChangeLog       |    5 +++++
 plugins/lotus-123/lotus-formula.c |   17 ++++++++---------
 3 files changed, 14 insertions(+), 10 deletions(-)
---
diff --git a/NEWS b/NEWS
index 853c607..2ab7189 100644
--- a/NEWS
+++ b/NEWS
@@ -30,7 +30,7 @@ Morten:
          [#749424] [#749917] [#749919] [#750043] [#750044] [#750046]
          [#750811] [#750810] [#750857] [#750864] [#750862] [#750858]
          [#751126] [#751254] [#751253] [#750851] [#751258] [#751259]
-         [#751502] [#751390]
+         [#751502] [#751390] [#751579]
        * Make solver check linearity of model.
        * Fix xls saving of marker style.  [#749185]
        * Make compilation with clang work again.  [#749138]
diff --git a/plugins/lotus-123/ChangeLog b/plugins/lotus-123/ChangeLog
index 0a689a8..de7ac0d 100644
--- a/plugins/lotus-123/ChangeLog
+++ b/plugins/lotus-123/ChangeLog
@@ -1,3 +1,8 @@
+2015-06-28  Morten Welinder  <terra gnome org>
+
+       * lotus-formula.c (get_cellref): Limit references to sheet size.
+       Fixes #751579.
+
 2015-04-16  Morten Welinder <terra gnome org>
 
        * Release 1.12.22
diff --git a/plugins/lotus-123/lotus-formula.c b/plugins/lotus-123/lotus-formula.c
index 7b0fc35..7d93cbf 100644
--- a/plugins/lotus-123/lotus-formula.c
+++ b/plugins/lotus-123/lotus-formula.c
@@ -522,27 +522,26 @@ make_function (LotusState *state, GnmExprList **stack, guint8 const *data, const
        return (f->handler) (stack, f, data, orig);
 }
 
-static gint16
-sign_extend (guint16 num)
-{
-       return (gint16)(num << 3) / 8;
-}
-
-/* FIXME: dodgy stuff, hacked for now */
 static void
 get_cellref (GnmCellRef *ref, guint8 const *dataa, guint8 const *datab,
             const GnmParsePos *orig)
 {
        guint16 i;
+       GnmSheetSize const *ss = gnm_sheet_get_size (orig->sheet);
 
        ref->sheet = NULL;
+
        i = GSF_LE_GET_GUINT16 (dataa);
-       ref->col = sign_extend (i & 0x1fff);
        ref->col_relative = (i & 0x8000) != 0;
+       ref->col = (i & 0xfff) % ss->max_cols;
+       if (ref->col_relative && (i & 0x1000))
+               ref->col = -ref->col;
 
        i = GSF_LE_GET_GUINT16 (datab);
-       ref->row = sign_extend (i & 0x1fff);
        ref->row_relative = (i & 0x8000) != 0;
+       ref->row = (i & 0xfff) % ss->max_rows;
+       if (ref->row_relative && (i & 0x1000))
+               ref->row = -ref->row;
 
 #if FORMULA_DEBUG > 0
        g_printerr ("0x%x 0x%x -> (%d, %d)\n",