[gnumeric] xls: fuzzed file fix.

From: Morten Welinder <mortenw src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnumeric] xls: fuzzed file fix.
Date: Thu, 28 May 2015 12:25:48 +0000 (UTC)

commit 59cbf6fdbf65a28e155717169f62418c2c0549b7
Author: Morten Welinder <terra gnome org>
Date:   Thu May 28 08:25:25 2015 -0400

    xls: fuzzed file fix.

 NEWS                          |    2 +-
 plugins/excel/ChangeLog       |    4 ++++
 plugins/excel/ms-excel-read.c |   12 ++++++++++++
 3 files changed, 17 insertions(+), 1 deletions(-)
---
diff --git a/NEWS b/NEWS
index a9acc2a..6b7cad2 100644
--- a/NEWS
+++ b/NEWS
@@ -17,7 +17,7 @@ Morten:
        * Fuzzed file fixes.  [#748595] [#748597] [#749031] [#749030]
          [#749069] [#748533] [#749118] [#749166] [#749181] [#749184]
          [#749236] [#749240] [#749234] [#749235] [#749271] [#749270]
-         [#749424] [#749917]
+         [#749424] [#749917] [#749919]
        * Make solver check linearity of model.
        * Fix xls saving of marker style.  [#749185]
        * Make compilation with clang work again.  [#749138]
diff --git a/plugins/excel/ChangeLog b/plugins/excel/ChangeLog
index eb7ae2f..5cc693f 100644
--- a/plugins/excel/ChangeLog
+++ b/plugins/excel/ChangeLog
@@ -1,3 +1,7 @@
+2015-05-28  Morten Welinder  <terra gnome org>
+
+       * ms-excel-read.c (xls_read_range32): Clamp to sane dimensions.
+
 2015-05-15  Morten Welinder  <terra gnome org>
 
        * ms-excel-read.c (excel_formula_shared): Catch duplicate shared
diff --git a/plugins/excel/ms-excel-read.c b/plugins/excel/ms-excel-read.c
index e9ea731..82255ea 100644
--- a/plugins/excel/ms-excel-read.c
+++ b/plugins/excel/ms-excel-read.c
@@ -4803,6 +4803,12 @@ xls_read_range32 (GnmRange *r, guint8 const *data)
        r->end.row      = GSF_LE_GET_GUINT32 (data + 4);
        r->start.col    = GSF_LE_GET_GUINT16 (data + 8);
        r->end.col      = GSF_LE_GET_GUINT16 (data + 10);
+
+       r->start.row = CLAMP (r->start.row, 0, GNM_MAX_ROWS - 1);
+       r->end.row = CLAMP (r->end.row, 0, GNM_MAX_ROWS - 1);
+       r->start.col = CLAMP (r->start.col, 0, GNM_MAX_COLS - 1);
+       r->end.col = CLAMP (r->end.col, 0, GNM_MAX_COLS - 1);
+
        d (4, range_dump (r, ";\n"););
 }
 
@@ -4813,6 +4819,12 @@ xls_read_range16 (GnmRange *r, guint8 const *data)
        r->end.row      = GSF_LE_GET_GUINT16 (data + 2);
        r->start.col    = GSF_LE_GET_GUINT16 (data + 4);
        r->end.col      = GSF_LE_GET_GUINT16 (data + 6);
+
+       r->start.row = CLAMP (r->start.row, 0, GNM_MAX_ROWS - 1);
+       r->end.row = CLAMP (r->end.row, 0, GNM_MAX_ROWS - 1);
+       r->start.col = CLAMP (r->start.col, 0, GNM_MAX_COLS - 1);
+       r->end.col = CLAMP (r->end.col, 0, GNM_MAX_COLS - 1);
+
        d (4, range_dump (r, ";\n"););
 }

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]