Commit a878cb00 authored by Morten Welinder's avatar Morten Welinder

xls: fix fuzzed file issue.

parent d4783c9a
...@@ -14,7 +14,7 @@ Morten: ...@@ -14,7 +14,7 @@ Morten:
* Avoid some overflows in IMGAMMA. * Avoid some overflows in IMGAMMA.
* Fix tabulation truncation issue. * Fix tabulation truncation issue.
* Fix ABR. [#720353] * Fix ABR. [#720353]
* Fix fuzzed file crashes. [#720425] [#720426] * Fix fuzzed file crashes. [#720425] [#720426] [#720358]
-------------------------------------------------------------------------- --------------------------------------------------------------------------
Gnumeric 1.12.9 Gnumeric 1.12.9
......
2013-12-21 Morten Welinder <terra@gnome.org>
* ms-obj.c (read_pre_biff8_read_name_and_fmla): Fix and improve
length check. Fixes #720358.
2013-12-13 Morten Welinder <terra@gnome.org> 2013-12-13 Morten Welinder <terra@gnome.org>
* ms-excel-read.c (excel_read_WINDOW2): Don't crash of truncated * ms-excel-read.c (excel_read_WINDOW2): Don't crash of truncated
......
...@@ -635,9 +635,10 @@ read_pre_biff8_read_name_and_fmla (BiffQuery *q, MSContainer *c, MSObj *obj, ...@@ -635,9 +635,10 @@ read_pre_biff8_read_name_and_fmla (BiffQuery *q, MSContainer *c, MSObj *obj,
guint8 const *data; guint8 const *data;
gboolean fmla_len; gboolean fmla_len;
XL_CHECK_CONDITION_VAL (q->length >= offset, NULL); XL_CHECK_CONDITION_VAL (q->length >= offset + 2, NULL);
data = q->data + offset; data = q->data + offset;
fmla_len = GSF_LE_GET_GUINT16 (q->data+26); fmla_len = GSF_LE_GET_GUINT16 (q->data+26);
XL_CHECK_CONDITION_VAL (q->length >= offset + 2 + fmla_len, NULL);
if (has_name) { if (has_name) {
guint8 const *last = q->data + q->length; guint8 const *last = q->data + q->length;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment