[gnumeric] xls: fuzzed file fix.
- From: Morten Welinder <mortenw src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gnumeric] xls: fuzzed file fix.
- Date: Thu, 7 Jan 2016 13:57:14 +0000 (UTC)
commit 418e3ea2aee4203e45ed0f6432e7d1e7b27e9a6f
Author: Morten Welinder <terra gnome org>
Date: Thu Jan 7 08:56:54 2016 -0500
xls: fuzzed file fix.
NEWS | 1 +
plugins/excel/ChangeLog | 8 ++++++++
plugins/excel/ms-biff.c | 12 ++++++++++--
plugins/excel/ms-excel-read.c | 2 +-
plugins/excel/ms-formula-read.c | 1 +
5 files changed, 21 insertions(+), 3 deletions(-)
---
diff --git a/NEWS b/NEWS
index 6538bbd..56aa9b0 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,7 @@ Morten:
* Improve test suite.
* Fuzzed file fixes. [#760046] [#760085] [#760087] [#760089]
[#760043] [#760103] [#760102] [#760101] [#760105] [#760106]
+ [#760104]
* Fix R.DBINOM extreme-value case. [#760230]
--------------------------------------------------------------------------
diff --git a/plugins/excel/ChangeLog b/plugins/excel/ChangeLog
index ee52032..854877b 100644
--- a/plugins/excel/ChangeLog
+++ b/plugins/excel/ChangeLog
@@ -1,3 +1,11 @@
+2016-01-07 Morten Welinder <terra gnome org>
+
+ * ms-excel-read.c (excel_read_NAME): Fix computation of array
+ length. Fixes #760104.
+
+ * ms-formula-read.c (excel_parse_formula1): Check that
+ non-parsable data is actually there before dumping it.
+
2016-01-05 Morten Welinder <terra gnome org>
* ms-formula-read.c (excel_parse_formula1): Fix string length
diff --git a/plugins/excel/ms-biff.c b/plugins/excel/ms-biff.c
index aedf7bb..25c0fb0 100644
--- a/plugins/excel/ms-biff.c
+++ b/plugins/excel/ms-biff.c
@@ -1,4 +1,3 @@
-/* vim: set sw=8: -*- Mode: C; tab-width: 8; indent-tabs-mode: t; c-basic-offset: 8 -*- */
/**
* ms-biff.c: MS Excel Biff support...
*
@@ -8,6 +7,7 @@
*
* (C) 1998-2001 Michael Meeks
* (C) 2002-2005 Jody Goldberg
+ * (C) 2016 Morten Welinder
**/
#include <gnumeric-config.h>
@@ -493,8 +493,16 @@ ms_biff_query_next (BiffQuery *q)
q->data[k] = tmp ^ q->xor_key[offset];
offset = (offset + 1) % 16;
}
- } else
+ } else {
q->non_decrypted_data = q->data;
+#if 0
+ // Turn this on to debug memory access beyond record
+ // end.
+ q->non_decrypted_data_malloced = q->data_malloced;
+ q->data = g_memdup (q->data, q->length);
+ q->data_malloced = TRUE;
+#endif
+ }
#if BIFF_DEBUG > 2
ms_biff_query_dump (q);
diff --git a/plugins/excel/ms-excel-read.c b/plugins/excel/ms-excel-read.c
index 5f9a253..dca1caa 100644
--- a/plugins/excel/ms-excel-read.c
+++ b/plugins/excel/ms-excel-read.c
@@ -4026,7 +4026,7 @@ excel_read_NAME (BiffQuery *q, GnmXLImporter *importer, ExcelReadSheet *esheet)
nexpr = g_ptr_array_index (importer->names, importer->num_name_records);
XL_NEED_BYTES (expr_len);
- array_data_len = expr_len ? q->length - (data - q->data) : 0;
+ array_data_len = expr_len ? q->length - (data - q->data) - expr_len : 0;
nexpr = excel_parse_name (importer, sheet,
name, data, expr_len,
array_data_len, TRUE, nexpr);
diff --git a/plugins/excel/ms-formula-read.c b/plugins/excel/ms-formula-read.c
index 96f754e..ee9323d 100644
--- a/plugins/excel/ms-formula-read.c
+++ b/plugins/excel/ms-formula-read.c
@@ -1530,6 +1530,7 @@ excel_parse_formula1 (MSContainer const *container,
default :
g_printerr ("FIXME: Duff array item type %d @ %s%d:%d,%d\n",
val_type, col_name(fn_col), fn_row+1, lpx, lpy);
+ CHECK_FORMULA_ARRAY_LEN(8);
gsf_mem_dump (array_data-1, 9);
elem = value_new_empty ();
}
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
