[gnumeric] xls: fuzzed file fix.

[Morten Welinder <mortenw src gnome org>]

commit 75e276843a4a7926f88988277f148af63bb79fa5
Author: Morten Welinder <terra gnome org>
Date:   Sat May 9 12:48:52 2015 -0400

    xls: fuzzed file fix.

 NEWS                          |    2 +-
 plugins/excel/ChangeLog       |    5 +++++
 plugins/excel/ms-excel-read.c |   37 ++++++++++++++++++++++++++-----------
 3 files changed, 32 insertions(+), 12 deletions(-)
---
diff --git a/NEWS b/NEWS
index 9a1c721..890cdec 100644
--- a/NEWS
+++ b/NEWS
@@ -15,7 +15,7 @@ Morten:
        * Solver code refactoring.
        * Plug leaks.
        * Fuzzed file fixes.  [#748595]  [#748597] [#749031] [#749030]
-         [#749069] [#748533]
+         [#749069] [#748533] [#749118]
        * Make solver check linearity of model.
 
 --------------------------------------------------------------------------
diff --git a/plugins/excel/ChangeLog b/plugins/excel/ChangeLog
index 29f858b..396468d 100644
--- a/plugins/excel/ChangeLog
+++ b/plugins/excel/ChangeLog
@@ -1,3 +1,8 @@
+2015-05-09  Morten Welinder  <terra gnome org>
+
+       * ms-excel-read.c (excel_read_NAME): Take record length into
+       account.
+
 2015-05-09  Jean Brefort  <jean brefort normalesup org>
 
        * xlsx-write.c (xlsx_write_font): fix out of bounds read. [#749121]
diff --git a/plugins/excel/ms-excel-read.c b/plugins/excel/ms-excel-read.c
index d8ec88b..a8217fa 100644
--- a/plugins/excel/ms-excel-read.c
+++ b/plugins/excel/ms-excel-read.c
@@ -3749,7 +3749,7 @@ excel_parse_name (GnmXLImporter *importer, Sheet *sheet, char *name,
 
 static char *
 excel_read_name_str (GnmXLImporter *importer,
-                    guint8 const *data, unsigned *name_len, gboolean is_builtin)
+                    guint8 const *data, unsigned datalen, unsigned *name_len, gboolean is_builtin)
 {
        gboolean use_utf16, has_extended;
        unsigned trailing_data_len, n_markup;
@@ -3763,29 +3763,44 @@ excel_read_name_str (GnmXLImporter *importer,
        if (is_builtin && *name_len) {
                guint8 const *str = data;
                char const *builtin;
+               unsigned clen;
 
                if (importer->ver < MS_BIFF_V8) {
                        use_utf16 = has_extended = FALSE;
                        n_markup = trailing_data_len = 0;
-               } else
-                       str += excel_read_string_header
-                               (str, G_MAXINT /* FIXME */,
+               } else {
+                       int hlen = excel_read_string_header
+                               (str, datalen,
                                 &use_utf16, &n_markup, &has_extended,
                                 &trailing_data_len);
+                       str += hlen;
+                       datalen -= hlen;
+               }
+
+               clen = use_utf16 ? 2 : 1;
 
                /* pull out the magic builtin enum */
-               builtin = excel_builtin_name (str);
-               str += use_utf16 ? 2 : 1;
+               if (datalen >= clen) {
+                       builtin = excel_builtin_name (str);
+                       str += clen;
+                       datalen -= clen;
+               } else
+                       builtin = "bogus";
+
                if (--(*name_len)) {
-                       char *tmp = excel_get_chars (importer, str, *name_len, use_utf16, NULL);
+                       char *tmp;
+
+                       *name_len = MIN (*name_len, datalen / clen);
+                       tmp = excel_get_chars (importer, str, *name_len, use_utf16, NULL);
                        name = g_strconcat (builtin, tmp, NULL);
                        g_free (tmp);
-                       *name_len = (use_utf16 ? 2 : 1) * (*name_len);
+                       *name_len = clen * (*name_len);
                } else
                        name = g_strdup (builtin);
+
                *name_len += str - data;
        } else /* converts char len to byte len, and handles header */
-               name = excel_get_text_fixme (importer, data, *name_len, name_len, NULL);
+               name = excel_get_text (importer, data, *name_len, name_len, NULL, datalen);
        return name;
 }
 
@@ -3815,7 +3830,7 @@ excel_read_EXTERNNAME (BiffQuery *q, MSContainer *container)
                flags   = GSF_LE_GET_GUINT8 (q->data);
                namelen = GSF_LE_GET_GUINT8 (q->data + 6);
 
-               name = excel_read_name_str (container->importer, q->data + 7, &namelen, flags&1);
+               name = excel_read_name_str (container->importer, q->data + 7, q->length - 7, &namelen, 
flags&1);
                if ((flags & (~1)) == 0) {      /* all flags but builtin must be 0 */
                        if (7 + 2 + namelen <= q->length) {
                                unsigned el = GSF_LE_GET_GUINT16 (q->data + 7 + namelen);
@@ -3965,7 +3980,7 @@ excel_read_NAME (BiffQuery *q, GnmXLImporter *importer, ExcelReadSheet *esheet)
        }
 
        XL_NEED_BYTES (name_len);
-       name = excel_read_name_str (importer, data, &name_len, builtin_name);
+       name = excel_read_name_str (importer, data, q->length - (data - q->data), &name_len, builtin_name);
        XL_NEED_BYTES (name_len);
        data += name_len;