Author: mortenw
Date: Sat Feb 9 02:40:58 2008
New Revision: 16365
URL: http://svn.gnome.org/viewvc/gnumeric?rev=16365&view=rev
Log:
2008-02-08 Morten Welinder <[EMAIL PROTECTED]>
* ms-chart.c: Sprinkle some length checks. Fixes #515269,
#515275, and #515335.
Modified:
trunk/NEWS
trunk/plugins/excel/ChangeLog
trunk/plugins/excel/ms-chart.c
Modified: trunk/NEWS
==============================================================================
--- trunk/NEWS (original)
+++ trunk/NEWS Sat Feb 9 02:40:58 2008
@@ -23,7 +23,7 @@
[#513317] [#513361] [#513364] [#513551] [#513605] [#513608] [#513790]
[#513787] [#513835] [#513963] [#514229] [#514230] [#514295] [#514435]
[#514436] [#514437] [#514506] [#514510] [#514630] [#514637] [#515155]
- [#515269] [#515275]
+ [#515269] [#515275] [#515335]
* Fix non-ascii export problem. [#511135]
* Band-aid evaluation problem with broken xls. [#513559]
* Fix circular array formula problem.
Modified: trunk/plugins/excel/ms-chart.c
==============================================================================
--- trunk/plugins/excel/ms-chart.c (original)
+++ trunk/plugins/excel/ms-chart.c Sat Feb 9 02:40:58 2008
@@ -589,7 +589,10 @@
XLChartReadState *s, BiffQuery *q)
{
guint16 opcode;
- guint16 const type = GSF_LE_GET_GUINT16 (q->data);
+ guint16 type;
+
+ XL_CHECK_CONDITION_VAL (q->length >= 2, FALSE);
+ type = GSF_LE_GET_GUINT16 (q->data);
d (0, {
g_printerr ("Axisline is ");
@@ -913,7 +916,7 @@
if (pt_num == 0 && series_index == 0 && series_index_for_label ==
0xfffd)
s->has_extra_dataformat = TRUE;
- XL_CHECK_CONDITION_VAL (s->series && series_index < s->series->len,
TRUE);
+ XL_CHECK_CONDITION_VAL (series_index < s->series->len, TRUE);
series = g_ptr_array_index (s->series, series_index);
XL_CHECK_CONDITION_VAL (series != NULL, TRUE);
@@ -1829,9 +1832,14 @@
BC_R(trendlimits)(XLChartHandler const *handle,
XLChartReadState *s, BiffQuery *q)
{
- double const min = GSF_LE_GET_DOUBLE (q->data);
- double const max = GSF_LE_GET_DOUBLE (q->data+8);
- guint8 const skip_invalid = GSF_LE_GET_GUINT8 (q->data+16);
+ double min, max;
+ gboolean skip_invalid;
+
+ XL_CHECK_CONDITION_VAL (q->length >= 17, FALSE);
+ min = GSF_LE_GET_DOUBLE (q->data);
+ max = GSF_LE_GET_DOUBLE (q->data + 8);
+ skip_invalid = GSF_LE_GET_GUINT8 (q->data + 16);
+
d (1, {
g_printerr ("skip invalid data: %s\n", (skip_invalid)? "yes":
"no");
g_printerr ("min: %g\n", min);
@@ -1850,6 +1858,7 @@
GogMSDimType purpose,
int type_offset, int count_offset, char const *name)
{
+ XL_CHECK_CONDITION (q->length >= 2 + (unsigned)count_offset);
#if 0
switch (GSF_LE_GET_GUINT16 (q->data + type_offset)) {
case 0 : /* date */ break;
@@ -1871,7 +1880,7 @@
{
XLChartSeries *series;
- g_return_val_if_fail (s->currentSeries == NULL, TRUE);
+ XL_CHECK_CONDITION_VAL (s->currentSeries == NULL, TRUE);
d (2, g_printerr ("SERIES = %d\n", s->series->len););
@@ -1909,12 +1918,15 @@
BC_R(seriestext)(XLChartHandler const *handle,
XLChartReadState *s, BiffQuery *q)
{
- guint16 const id = GSF_LE_GET_GUINT16 (q->data); /* must be 0 */
- int const slen = GSF_LE_GET_GUINT8 (q->data + 2);
+ guint16 id;
+ int slen;
char *str;
GnmValue *value;
- g_return_val_if_fail (id == 0, FALSE);
+ XL_CHECK_CONDITION_VAL (q->length >= 3, FALSE);
+ id = GSF_LE_GET_GUINT16 (q->data); /* must be 0 */
+ slen = GSF_LE_GET_GUINT8 (q->data + 2);
+ XL_CHECK_CONDITION_VAL (id == 0, FALSE);
if (slen == 0)
return FALSE;
@@ -1949,7 +1961,10 @@
BC_R(serparent)(XLChartHandler const *handle,
XLChartReadState *s, BiffQuery *q)
{
- guint16 const index = GSF_LE_GET_GUINT16 (q->data) - 1;
+ guint16 index;
+
+ XL_CHECK_CONDITION_VAL (q->length >= 2, FALSE);
+ index = GSF_LE_GET_GUINT16 (q->data) - 1;
d (1, g_printerr ("Parent series index is %hd\n", index););
s->parent_index = index;
@@ -1962,9 +1977,11 @@
BC_R(sertocrt)(XLChartHandler const *handle,
XLChartReadState *s, BiffQuery *q)
{
- guint16 const index = GSF_LE_GET_GUINT16 (q->data);
+ guint16 index;
- g_return_val_if_fail (s->currentSeries != NULL, FALSE);
+ XL_CHECK_CONDITION_VAL (q->length >= 2, FALSE);
+ XL_CHECK_CONDITION_VAL (s->currentSeries != NULL, FALSE);
+ index = GSF_LE_GET_GUINT16 (q->data);
s->currentSeries->chart_group = index;
@@ -2025,6 +2042,7 @@
BC_R(siindex)(XLChartHandler const *handle,
XLChartReadState *s, BiffQuery *q)
{
+ XL_CHECK_CONDITION_VAL (q->length >= 2, FALSE);
/* UNDOCUMENTED : Docs says this is long
* Biff record is only length 2 */
s->cur_role = GSF_LE_GET_GUINT16 (q->data);
@@ -2037,6 +2055,8 @@
BC_R(surf)(XLChartHandler const *handle,
XLChartReadState *s, BiffQuery *q)
{
+ XL_CHECK_CONDITION_VAL (q->length >= 6, FALSE);
+
#warning implement wireframe (aka use-color)
#if 0
guint16 const flags = GSF_LE_GET_GUINT16 (q->data+4);
_______________________________________________
SVN-commits-list mailing list (read only)
http://mail.gnome.org/mailman/listinfo/svn-commits-list
Want to limit the commits to a few modules? Go to above URL, log in to edit
your options and select the modules ('topics') you want.
Module maintainer? It is possible to set the reply-to to your development
mailing list. Email [EMAIL PROTECTED] if interested.
