[gnumeric] xls: plug fuzzed file leak.
- From: Morten Welinder <mortenw src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gnumeric] xls: plug fuzzed file leak.
- Date: Mon, 29 Jun 2015 12:07:12 +0000 (UTC)
commit c5cc08e7afe9ebf9c1e1839e2dcb90ff93b5afcb
Author: Morten Welinder <terra gnome org>
Date: Mon Jun 29 08:06:52 2015 -0400
xls: plug fuzzed file leak.
plugins/excel/ChangeLog | 5 +++++
plugins/excel/ms-excel-read.c | 23 +++++++++++++++--------
plugins/excel/ms-excel-util.h | 29 ++++++++++-------------------
3 files changed, 30 insertions(+), 27 deletions(-)
---
diff --git a/plugins/excel/ChangeLog b/plugins/excel/ChangeLog
index 6771319..deadb0b 100644
--- a/plugins/excel/ChangeLog
+++ b/plugins/excel/ChangeLog
@@ -1,3 +1,8 @@
+2015-06-29 Morten Welinder <terra gnome org>
+
+ * ms-excel-read.c (excel_read_CF): Plug leak when reading fuzzed
+ file.
+
2015-06-28 Jean Brefort <jean brefort normalesup org>
* ms-chart.c (end): fuzzed file fix. [#751758]
diff --git a/plugins/excel/ms-excel-read.c b/plugins/excel/ms-excel-read.c
index 8bdda75..00cf026 100644
--- a/plugins/excel/ms-excel-read.c
+++ b/plugins/excel/ms-excel-read.c
@@ -5176,9 +5176,9 @@ excel_read_CF (BiffQuery *q, ExcelReadSheet *esheet, GnmStyleConditions *sc,
guint32 flags;
guint16 flags2;
unsigned offset;
- GnmStyleCond *cond;
+ GnmStyleCond *cond = NULL;
GnmStyleCondOp cop;
- GnmStyle *overlay;
+ GnmStyle *overlay = NULL;
XL_CHECK_CONDITION (q->length >= 12);
@@ -5278,7 +5278,7 @@ excel_read_CF (BiffQuery *q, ExcelReadSheet *esheet, GnmStyleConditions *sc,
if (flags & 0x02000000) { /* number format */
gboolean ignore = (flags & 0x00080000) != 0;
- XL_CHECK_CONDITION (q->length >= offset + 2);
+ XL_CHECK_CONDITION_FULL (q->length >= offset + 2, goto fail;);
if (flags2 & 1) {
/* Format as string */
@@ -5302,7 +5302,7 @@ excel_read_CF (BiffQuery *q, ExcelReadSheet *esheet, GnmStyleConditions *sc,
guint8 tmp8, font_flags;
guint8 const *data = q->data + offset;
- XL_CHECK_CONDITION (q->length >= offset + 64 + 54);
+ XL_CHECK_CONDITION_FULL (q->length >= offset + 64 + 54, goto fail;);
if (data[0] && GSF_LE_GET_GUINT16 (data + 116) > 0) {
char *font = excel_biff_text_1
@@ -5378,7 +5378,7 @@ excel_read_CF (BiffQuery *q, ExcelReadSheet *esheet, GnmStyleConditions *sc,
if (flags & 0x08000000) { /* alignment block */
guint16 d1, d2;
- XL_CHECK_CONDITION (q->length >= offset + 8);
+ XL_CHECK_CONDITION_FULL (q->length >= offset + 8, goto fail;);
d1 = GSF_LE_GET_GUINT16 (q->data + offset);
d2 = GSF_LE_GET_GUINT16 (q->data + offset + 2);
@@ -5412,7 +5412,7 @@ excel_read_CF (BiffQuery *q, ExcelReadSheet *esheet, GnmStyleConditions *sc,
if (flags & 0x10000000) { /* borders */
guint32 d0, d1;
- XL_CHECK_CONDITION (q->length >= offset + 8);
+ XL_CHECK_CONDITION_FULL (q->length >= offset + 8, goto fail;);
d0 = GSF_LE_GET_GUINT32 (q->data + offset);
d1 = GSF_LE_GET_GUINT32 (q->data + offset + 4);
@@ -5449,7 +5449,7 @@ excel_read_CF (BiffQuery *q, ExcelReadSheet *esheet, GnmStyleConditions *sc,
guint32 background_flags;
int pattern = 0;
- XL_CHECK_CONDITION (q->length >= offset + 4);
+ XL_CHECK_CONDITION_FULL (q->length >= offset + 4, goto fail;);
background_flags = GSF_LE_GET_GUINT32 (q->data + offset);
if (0 == (flags & 0x10000))
@@ -5472,7 +5472,7 @@ excel_read_CF (BiffQuery *q, ExcelReadSheet *esheet, GnmStyleConditions *sc,
offset += 2;
}
- XL_CHECK_CONDITION (q->length == offset + expr0_len + expr1_len);
+ XL_CHECK_CONDITION_FULL (q->length == offset + expr0_len + expr1_len, goto fail;);
d (1, gnm_style_dump (overlay););
@@ -5480,6 +5480,13 @@ excel_read_CF (BiffQuery *q, ExcelReadSheet *esheet, GnmStyleConditions *sc,
gnm_style_unref (overlay);
gnm_style_conditions_insert (sc, cond, -1);
gnm_style_cond_free (cond);
+ return;
+
+fail:
+ if (cond)
+ gnm_style_cond_free (cond);
+ if (overlay)
+ gnm_style_unref (overlay);
}
static void
diff --git a/plugins/excel/ms-excel-util.h b/plugins/excel/ms-excel-util.h
index 2dc6307..05505a2 100644
--- a/plugins/excel/ms-excel-util.h
+++ b/plugins/excel/ms-excel-util.h
@@ -14,34 +14,25 @@
#include <stdlib.h>
#include <print-info.h>
-/*
- * Check a condition relating to whether the file being read is ok.
- * (Not to be confused with checking a programming error.)
- *
- * If it fails, print a warning and return.
- */
-#define XL_CHECK_CONDITION(cond) \
+#define XL_CHECK_CONDITION_FULL(cond,code) \
do { \
if (!(cond)) { \
g_warning ("File is most likely corrupted.\n" \
"(Condition \"%s\" failed in %s.)\n", \
#cond, \
G_STRFUNC); \
- return; \
- } \
- } while (0)
-
-#define XL_CHECK_CONDITION_VAL(cond,val) \
- do { \
- if (!(cond)) { \
- g_warning ("File is most likely corrupted.\n" \
- "(Condition \"%s\" failed in %s.)\n", \
- #cond, \
- G_STRFUNC); \
- return (val); \
+ code \
} \
} while (0)
+/*
+ * Check a condition relating to whether the file being read is ok.
+ * (Not to be confused with checking a programming error.)
+ *
+ * If it fails, print a warning and return.
+ */
+#define XL_CHECK_CONDITION(cond) XL_CHECK_CONDITION_FULL(cond,return;)
+#define XL_CHECK_CONDITION_VAL(cond,val) XL_CHECK_CONDITION_FULL(cond,return val;)
typedef struct _TwoWayTable TwoWayTable;
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
