[gnumeric] xls: fuzzed file fix re filters.

From: Morten Welinder <mortenw src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnumeric] xls: fuzzed file fix re filters.
Date: Fri, 12 Jun 2015 00:20:49 +0000 (UTC)

commit 66b3f2865b3819a671c011f487711a507c746efe
Author: Morten Welinder <terra gnome org>
Date:   Thu Jun 11 20:20:45 2015 -0400

    xls: fuzzed file fix re filters.

 NEWS                          |    1 +
 plugins/excel/ChangeLog       |    5 +++++
 plugins/excel/ms-excel-read.c |   10 ++++++++--
 3 files changed, 14 insertions(+), 2 deletions(-)
---
diff --git a/NEWS b/NEWS
index 9958281..719bb7b 100644
--- a/NEWS
+++ b/NEWS
@@ -21,6 +21,7 @@ Morten:
          [#749069] [#748533] [#749118] [#749166] [#749181] [#749184]
          [#749236] [#749240] [#749234] [#749235] [#749271] [#749270]
          [#749424] [#749917] [#749919] [#750043] [#750044] [#750046]
+         [#750811]
        * Make solver check linearity of model.
        * Fix xls saving of marker style.  [#749185]
        * Make compilation with clang work again.  [#749138]
diff --git a/plugins/excel/ChangeLog b/plugins/excel/ChangeLog
index 236f909..9be2a47 100644
--- a/plugins/excel/ChangeLog
+++ b/plugins/excel/ChangeLog
@@ -1,3 +1,8 @@
+2015-06-11  Morten Welinder  <terra gnome org>
+
+       * ms-excel-read.c (excel_read_AUTOFILTER): Handle invalid filter
+       condition.  Fixes #750811.
+
 2015-06-01  Morten Welinder  <terra gnome org>
 
        * ms-obj.c (ms_read_TXO): Zero out markup earlier.  Fixes #750046.
diff --git a/plugins/excel/ms-excel-read.c b/plugins/excel/ms-excel-read.c
index 56029f6..3c6cc65 100644
--- a/plugins/excel/ms-excel-read.c
+++ b/plugins/excel/ms-excel-read.c
@@ -5602,8 +5602,10 @@ excel_read_DV (BiffQuery *q, ExcelReadSheet *esheet)
 
        XL_CHECK_CONDITION (data+2 < end);
        i = GSF_LE_GET_GUINT16 (data);
-       for (data += 2; i-- > 0 ; data += 8) {
-               XL_CHECK_CONDITION (data+8 <= end);
+       data += 2;
+       XL_CHECK_CONDITION ((end - data) / 8 >= i);
+
+       for (; i-- > 0 ; data += 8) {
                xls_read_range16 (&r, data);
                ranges = g_slist_prepend (ranges, gnm_range_dup (&r));
        }
@@ -6067,6 +6069,10 @@ excel_read_AUTOFILTER (BiffQuery *q, ExcelReadSheet *esheet)
                        v1 = value_new_string_nocopy (
                                excel_get_text (esheet->container.importer, data, len1, NULL, NULL, end - 
data));
 
+               /* Survive fuzzed files.  */
+               if (op0 == GNM_FILTER_UNUSED)
+                       op0 = GNM_FILTER_OP_BLANKS;
+
                if (op1 == GNM_FILTER_UNUSED) {
                        cond = gnm_filter_condition_new_single (op0, v0);
                        value_release (v1); /* paranoia */

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]