[gnumeric] MIDB: Fix length check.

[Morten Welinder <mortenw src gnome org>]

commit f1fc90ebfa550ed1039b71d521a203b953abd2a8
Author: Morten Welinder <terra gnome org>
Date:   Thu Mar 19 09:09:11 2015 -0400

    MIDB: Fix length check.
    
    This fixes possible integer overflow and 0/1-base confusion.

 NEWS                          |    1 +
 plugins/fn-string/ChangeLog   |    5 +++++
 plugins/fn-string/functions.c |   14 +++++++-------
 3 files changed, 13 insertions(+), 7 deletions(-)
---
diff --git a/NEWS b/NEWS
index b45266e..628b29e 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,7 @@ Morten:
        * Improve test suite.
        * Actually implement DECIMAL.
        * Fix BETA problem with special case.
+       * Fix MIDB and REPLACEB length check.
 
 --------------------------------------------------------------------------
 Gnumeric 1.12.21
diff --git a/plugins/fn-string/ChangeLog b/plugins/fn-string/ChangeLog
index 5f03382..d759f9b 100644
--- a/plugins/fn-string/ChangeLog
+++ b/plugins/fn-string/ChangeLog
@@ -1,3 +1,8 @@
+2015-03-19  Morten Welinder  <terra gnome org>
+
+       * functions.c (gnumeric_midb, gnumeric_replaceb): Fix length
+       check.
+
 2015-03-04  Morten Welinder <terra gnome org>
 
        * Release 1.12.21
diff --git a/plugins/fn-string/functions.c b/plugins/fn-string/functions.c
index 7e0b536..89813cf 100644
--- a/plugins/fn-string/functions.c
+++ b/plugins/fn-string/functions.c
@@ -446,13 +446,13 @@ gnumeric_midb (GnmFuncEvalInfo *ei, GnmValue const * const *argv)
 
        if ((len < 0) || (pos < 1))
                return value_new_error_VALUE (ei->pos);
-       ipos = (int)MIN ((gnm_float)INT_MAX, pos) - 1;
-       ilen = (int)MIN ((gnm_float)INT_MAX, len);
+       ipos = (int)MIN ((gnm_float)INT_MAX / 2, pos) - 1;
+       ilen = (int)MIN ((gnm_float)INT_MAX / 2, len);
        if ((ipos >= slen) ||
            ((gunichar)-1 == g_utf8_get_char_validated (peek + ipos, -1)))
                return value_new_error_VALUE (ei->pos);
 
-       if ((ipos + ilen) >= slen)
+       if ((ipos + ilen) > slen)
                return value_new_string (peek + ipos);
 
        newlen = ((const guchar *)g_utf8_find_prev_char (peek + ipos, peek + ipos + ilen + 1))
@@ -918,10 +918,10 @@ gnumeric_replaceb (GnmFuncEvalInfo *ei, GnmValue const * const *argv)
 
        if ((len < 0) || (pos < 1))
                return value_new_error_VALUE (ei->pos);
-       ipos = (int)MIN ((gnm_float)INT_MAX, pos) - 1;
-       ilen = (int)MIN ((gnm_float)INT_MAX, len);
-       if ((ipos >= slen) ||
-           (ipos + ilen - 1 > slen) ||
+       ipos = (int)MIN ((gnm_float)INT_MAX / 2, pos) - 1;
+       ilen = (int)MIN ((gnm_float)INT_MAX / 2, len);
+       if ((ipos > slen) ||
+           (ipos + ilen > slen) ||
            ((gunichar)-1 == g_utf8_get_char_validated (old + ipos, -1)) ||
            !g_utf8_validate (old + ipos, ilen, NULL))
                return value_new_error_VALUE (ei->pos);