Commit 293e04f4 authored by Morten Welinder's avatar Morten Welinder

xlsx, xls: fuzzed file fix re pivot caches.

parent 617e969c
2015-06-20 Morten Welinder <terra@gnome.org>
* src/go-data-cache.c (go_data_cache_records_set_size): Check for
overflow.
(go_data_cache_records_fetch_index): If resizing failed return
NULL early.
2015-06-18 Andreas J. Guelzow <aguelzow@pyrshep.ca>
* src/parse-util.h (_GnmConventions): add union_char field
......
......@@ -27,7 +27,7 @@ Morten:
[#749236] [#749240] [#749234] [#749235] [#749271] [#749270]
[#749424] [#749917] [#749919] [#750043] [#750044] [#750046]
[#750811] [#750810] [#750857] [#750864] [#750862] [#750858]
[#751126] [#751254] [#751253]
[#751126] [#751254] [#751253] [#750851]
* Make solver check linearity of model.
* Fix xls saving of marker style. [#749185]
* Make compilation with clang work again. [#749138]
......
2015-06-20 Morten Welinder <terra@gnome.org>
* xlsx-read.c (attr_uint): Typo.
* xls-read-pivot.c (xls_read_pivot_cache): Don't trust large
record counts.
* xlsx-read-pivot.c (xlsx_CT_pivotCacheRecords): Ditto. Also read
count as unsigned.
* ms-chart.c (trendlimits): Bail if we don't have a series. Fixes
#751253.
......
......@@ -417,7 +417,7 @@ xls_read_pivot_cache (XLSReadPivot *s, BiffQuery *q)
return FALSE;
}
go_data_cache_import_start (s->cache, num_records);
go_data_cache_import_start (s->cache, MIN (num_records, 10000u));
record_count = 0;
while (ms_biff_query_peek_next (q, &opcode) && opcode != BIFF_EOF) {
switch (opcode) {
......
......@@ -892,15 +892,15 @@ static void
xlsx_CT_pivotCacheRecords (GsfXMLIn *xin, xmlChar const **attrs)
{
XLSXReadState *state = (XLSXReadState *)xin->user_state;
int n = 0;
unsigned int n = 0;
for (; attrs != NULL && attrs[0] && attrs[1] ; attrs += 2) {
if (attr_int (xin, attrs, "count", &n))
if (attr_uint (xin, attrs, "count", &n))
;
}
state->pivot.record_count = 0;
go_data_cache_import_start (state->pivot.cache, n);
go_data_cache_import_start (state->pivot.cache, MIN (n, 10000u));
}
static GsfXMLInNode const xlsx_pivot_cache_records_dtd[] = {
......
......@@ -523,7 +523,7 @@ attr_uint (GsfXMLIn *xin, xmlChar const **attrs,
tmp = strtoul (attrs[1], &end, 10);
if (errno == ERANGE || tmp != (unsigned)tmp)
return xlsx_warning (xin,
_("Unisgned integer '%s' is out of range, for attribute %s"),
_("Unsigned integer '%s' is out of range, for attribute %s"),
attrs[1], target);
if (*end)
return xlsx_warning (xin,
......
......@@ -47,7 +47,11 @@ enum {
static void
go_data_cache_records_set_size (GODataCache *cache, unsigned int n)
{
int expand = n - cache->records_allocated;
int expand;
g_return_if_fail (n < G_MAXUINT / cache->record_size);
expand = n - cache->records_allocated;
if (0 == expand)
return;
......@@ -61,8 +65,12 @@ go_data_cache_records_set_size (GODataCache *cache, unsigned int n)
static guint8 *
go_data_cache_records_fetch_index (GODataCache *cache, unsigned i)
{
if (cache->records_allocated <= i)
if (cache->records_allocated <= i) {
go_data_cache_records_set_size (cache, i+128);
if (cache->records_allocated <= i)
return NULL;
}
if (cache->records_len <= i)
cache->records_len = i + 1;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment