[gnumeric] xls: fuzzed file fix.
- From: Morten Welinder <mortenw src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gnumeric] xls: fuzzed file fix.
- Date: Thu, 7 Jan 2016 21:31:12 +0000 (UTC)
commit b92e16bd416abb5b0ee04b5ca28ccff942154947
Author: Morten Welinder <terra gnome org>
Date: Thu Jan 7 16:30:52 2016 -0500
xls: fuzzed file fix.
NEWS | 2 +-
plugins/excel/ChangeLog | 3 +++
plugins/excel/ms-excel-read.c | 32 +++++++++++++++++++++-----------
3 files changed, 25 insertions(+), 12 deletions(-)
---
diff --git a/NEWS b/NEWS
index 250e487..413cc5b 100644
--- a/NEWS
+++ b/NEWS
@@ -10,7 +10,7 @@ Morten:
* Improve test suite.
* Fuzzed file fixes. [#760046] [#760085] [#760087] [#760089]
[#760043] [#760103] [#760102] [#760101] [#760105] [#760106]
- [#760104] [#760229]
+ [#760104] [#760229] [#760231]
* Fix R.DBINOM extreme-value case. [#760230]
--------------------------------------------------------------------------
diff --git a/plugins/excel/ChangeLog b/plugins/excel/ChangeLog
index 9bdb595..fe2a4ad 100644
--- a/plugins/excel/ChangeLog
+++ b/plugins/excel/ChangeLog
@@ -1,5 +1,8 @@
2016-01-07 Morten Welinder <terra gnome org>
+ * ms-excel-read.c (excel_formula_shared): Length check for v0.
+ Fixes #760231.
+
* ms-chart.c (ms_excel_chart_read): Initialize .legend to NULL.
Fixes #760229.
diff --git a/plugins/excel/ms-excel-read.c b/plugins/excel/ms-excel-read.c
index dca1caa..320687b 100644
--- a/plugins/excel/ms-excel-read.c
+++ b/plugins/excel/ms-excel-read.c
@@ -2806,14 +2806,19 @@ excel_formula_shared (BiffQuery *q, ExcelReadSheet *esheet, GnmCell *cell)
xls_read_range8 (&r, q->data);
if (opcode == BIFF_TABLE_v0 || opcode == BIFF_TABLE_v2) {
- XLDataTable *dt = g_new0 (XLDataTable, 1);
+ XLDataTable *dt;
GnmExprList *args = NULL;
GnmCellRef ref;
- guint16 const flags = GSF_LE_GET_GUINT16 (q->data + 6);
+ guint16 flags;
+
+ XL_CHECK_CONDITION_VAL (q->length >= 16, NULL);
+
+ flags = GSF_LE_GET_GUINT16 (q->data + 6);
d (2, { range_dump (&r, " <-- contains data table\n");
gsf_mem_dump (q->data, q->length); });
+ dt = g_new0 (XLDataTable, 1);
dt->table = r;
dt->c_in.row = GSF_LE_GET_GUINT16 (q->data + 8);
dt->c_in.col = GSF_LE_GET_GUINT16 (q->data + 10);
@@ -2821,18 +2826,23 @@ excel_formula_shared (BiffQuery *q, ExcelReadSheet *esheet, GnmCell *cell)
dt->r_in.col = GSF_LE_GET_GUINT16 (q->data + 14);
g_hash_table_replace (esheet->tables, &dt->table.start, dt);
- args = gnm_expr_list_append (args, gnm_expr_new_cellref (
- gnm_cellref_init (&ref, NULL,
- dt->c_in.col -
r.start.col,
- dt->c_in.row -
r.start.row, TRUE)));
+ args = gnm_expr_list_append
+ (args,
+ gnm_expr_new_cellref
+ (gnm_cellref_init (&ref, NULL,
+ dt->c_in.col - r.start.col,
+ dt->c_in.row - r.start.row, TRUE)));
if (flags & 0x8) {
- args = gnm_expr_list_append (args, gnm_expr_new_cellref (
- gnm_cellref_init (&ref, NULL,
-
dt->r_in.col - r.start.col,
-
dt->r_in.row - r.start.row, TRUE)));
+ args = gnm_expr_list_append
+ (args,
+ gnm_expr_new_cellref
+ (gnm_cellref_init (&ref, NULL,
+ dt->r_in.col - r.start.col,
+ dt->r_in.row - r.start.row, TRUE)));
} else {
GnmExpr const *missing = gnm_expr_new_constant (value_new_empty ());
- args = (flags & 4) ? gnm_expr_list_append (args, missing)
+ args = (flags & 4)
+ ? gnm_expr_list_append (args, missing)
: gnm_expr_list_prepend (args, missing);
}
texpr = gnm_expr_top_new (gnm_expr_new_funcall (gnm_func_lookup ("table", NULL), args));
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
