[gnumeric] pln: fuzz fix.

From: Morten Welinder <mortenw src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnumeric] pln: fuzz fix.
Date: Tue, 20 Aug 2013 17:25:54 +0000 (UTC)
commit 1fbadc49ec37cecb59ed1fe218fcf4d21fd61551
Author: Morten Welinder <terra gnome org>
Date:   Tue Aug 20 13:25:28 2013 -0400

    pln: fuzz fix.
    
    Probably the first use of that plugin in a decade.

 NEWS                           |    3 +++
 plugins/plan-perfect/ChangeLog |    4 ++++
 plugins/plan-perfect/pln.c     |   24 ++++++++++++++++--------
 3 files changed, 23 insertions(+), 8 deletions(-)
---
diff --git a/NEWS b/NEWS
index b070421..c0c368f 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,8 @@
 Gnumeric 1.12.6
 
+Morten:
+       * Fix crash on corrupted files.  [#706413]
+
 --------------------------------------------------------------------------
 Gnumeric 1.12.5
 
diff --git a/plugins/plan-perfect/ChangeLog b/plugins/plan-perfect/ChangeLog
index 409d4cd..3ead2ad 100644
--- a/plugins/plan-perfect/ChangeLog
+++ b/plugins/plan-perfect/ChangeLog
@@ -1,3 +1,7 @@
+2013-08-20  Morten Welinder  <terra gnome org>
+
+       * pln.c (pln_convert_expr): Fuzz fix.  See bug 706413.
+
 2013-08-19  Morten Welinder <terra gnome org>
 
        * Release 1.12.5
diff --git a/plugins/plan-perfect/pln.c b/plugins/plan-perfect/pln.c
index c7f8eed..cf81fa2 100644
--- a/plugins/plan-perfect/pln.c
+++ b/plugins/plan-perfect/pln.c
@@ -309,20 +309,26 @@ pln_get_addr (GnmParsePos const *pp, guint8 const *ch)
 }
 
 static char *
-pln_convert_expr (GnmParsePos const *pp, guint8 const *ch)
+pln_convert_expr (GnmParsePos const *pp, guint8 const *ch, size_t datalen)
 {
        GString *expr = g_string_new (NULL);
        guint8 *str;
        guint8 const *end;
-       int i, len, code;
+       int len, code;
+       unsigned ui;
+
+       g_return_val_if_fail (datalen >= 2, g_string_free (expr, FALSE));
 
        /* Expressions are stored INFIX so it is easier to just generate text */
-       i = GSF_LE_GET_GUINT16 (ch); ch += 2;
+       ui = GSF_LE_GET_GUINT16 (ch);
+       g_return_val_if_fail (ui <= datalen - 2, g_string_free (expr, FALSE));
+
+       ch += 2;
 #if DEBUG_EXPR
        puts (cellpos_as_string (&pp->eval));
-       gsf_mem_dump (ch, i);
+       gsf_mem_dump (ch, ui);
 #endif
-       for (end = ch + i ; ch < end ; ) {
+       for (end = ch + ui ; ch < end ; ) {
                code = *ch++;
                switch (code) {
                case  1: g_string_append_c (expr, '+'); break;
@@ -382,9 +388,11 @@ pln_convert_expr (GnmParsePos const *pp, guint8 const *ch)
                case 23: g_string_append_c (expr, '('); break;
                case 24: g_string_append_c (expr, ')'); break;
 
-               case 25: for (i = *ch++; i-- > 0 ; ) /* Spaces */
-                               g_string_append_c (expr, ' ');
+               case 25: {
+                       unsigned sp = *ch++;
+                       go_string_append_c_n (expr, ' ', sp);
                        break;
+               }
 
                case 26:        /* Special formula error code */
                        g_string_append (expr, "??ERROR??");
@@ -622,7 +630,7 @@ pln_parse_sheet (GsfInput *input, PlanPerfectImport *state)
                if (length != 0) {
                        data = gsf_input_read (input, length, NULL);
                        if (cell != NULL && data != NULL) {
-                               char *expr_txt = pln_convert_expr (&pp, data);
+                               char *expr_txt = pln_convert_expr (&pp, data, length);
 
                                if (expr_txt != NULL) {
                                        texpr = gnm_expr_parse_str (expr_txt, &pp,
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]