rpms/gnumeric/F-8 gnumeric-1.6.3-excel-overflow.patch, NONE, 1.1 gnumeric.spec, 1.34, 1.35
Hans de Goede (jwrdegoede)
fedora-extras-commits at redhat.com
Mon Feb 4 15:18:59 UTC 2008
- Previous message (by thread): rpms/taglib/devel taglib-1.5b1-multilib.patch, NONE, 1.1 .cvsignore, 1.8, 1.9 sources, 1.8, 1.9 taglib.spec, 1.25, 1.26 taglib-multilib.patch, 1.1, NONE
- Next message (by thread): rpms/openoffice.org/devel workspace.gcc430two.patch,1.5,1.6
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: jwrdegoede
Update of /cvs/extras/rpms/gnumeric/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv24697
Modified Files:
gnumeric.spec
Added Files:
gnumeric-1.6.3-excel-overflow.patch
Log Message:
* Sun Feb 3 2008 Hans de Goede <j.w.r.degoede at hhs.nl> 1:1.6.3-14
- Fix integer overflow and signedness errors in XLS processing (Bug 431229)
gnumeric-1.6.3-excel-overflow.patch:
--- NEW FILE gnumeric-1.6.3-excel-overflow.patch ---
diff -up gnumeric-1.6.3/plugins/excel/ms-excel-read.c.excel gnumeric-1.6.3/plugins/excel/ms-excel-read.c
--- gnumeric-1.6.3/plugins/excel/ms-excel-read.c.excel 2008-02-04 09:36:31.000000000 +0100
+++ gnumeric-1.6.3/plugins/excel/ms-excel-read.c 2008-02-04 15:38:54.000000000 +0100
@@ -95,6 +95,43 @@ typedef struct {
#define N_BYTES_BETWEEN_PROGRESS_UPDATES 0x1000
+/*
+ * Check whether the product of the first two arguments exceeds
+ * the third. The function should be overflow-proof.
+ */
+static gboolean
+product_gt (size_t count, size_t itemsize, size_t space)
+{
+ return itemsize > 0 &&
+ (count > G_MAXUINT / itemsize || count * itemsize > space);
+}
+
+static void
+record_size_barf (size_t count, size_t itemsize, size_t space,
+ const char *locus)
+{
+ g_warning ("File is most likely corrupted.\n"
+ "(Requested %u*%u bytes, but only %u bytes left in record.\n"
+ "The problem occurred in %s.)",
+ (unsigned)count, (unsigned)itemsize,
+ (unsigned)space,
+ locus);
+}
+
+#define XL_NEED_BYTES(count) XL_NEED_ITEMS(count,1)
+
+#define XL_NEED_ITEMS(count__,size__) \
+ do { \
+ size_t count_ = (count__); \
+ size_t size_ = (size__); \
+ size_t space_ = q->length - (data - q->data); \
+ if (G_UNLIKELY (product_gt (count_, size_, space_))) { \
+ record_size_barf (count_, size_, space_, G_STRFUNC); \
+ return; \
+ } \
+ } while (0)
+
+
/* #define NO_DEBUG_EXCEL */
#ifndef NO_DEBUG_EXCEL
#define d(level, code) do { if (ms_excel_read_debug > level) { code } } while (0)
@@ -3386,29 +3423,40 @@ excel_read_XCT (BiffQuery *q, GnmXLImpor
continue;
for (data = q->data + 4; ep.eval.col <= last_col ; ep.eval.col++) {
- g_return_if_fail (data + 1 - q->data <= (int)q->length);
+ guint8 oper;
+ XL_NEED_BYTES (1);
- switch (*data) {
- case 1: v = value_new_float (GSF_LE_GET_DOUBLE (data+1));
- data += 9;
- break;
- case 2: len = data[1];
- v = value_new_string_nocopy (
- excel_get_text (importer, data + 2, len, NULL));
- data += 2 + len;
- break;
-
- case 4: v = value_new_bool (GSF_LE_GET_GUINT16 (data+1) != 0);
- data += 9;
- break;
-
- case 16: v = biff_get_error (&ep, GSF_LE_GET_GUINT16 (data+1));
- data += 9;
- break;
+ oper = *data++;
+ switch (oper) {
+ case 1:
+ XL_NEED_BYTES (8);
+ v = value_new_float (GSF_LE_GET_DOUBLE (data));
+ data += 8;
+ break;
+ case 2:
+ XL_NEED_BYTES (1);
+ len = *data++;
+ v = value_new_string_nocopy (
+ excel_get_text (importer, data, len, NULL));
+ data += len;
+ break;
+
+ case 4:
+ XL_NEED_BYTES (2);
+ v = value_new_bool (GSF_LE_GET_GUINT16 (data) != 0);
+ /* FIXME: 8?? */
+ data += 8;
+ break;
+
+ case 16:
+ XL_NEED_BYTES (2);
+ v = biff_get_error (&ep, GSF_LE_GET_GUINT16 (data));
+ /* FIXME: 8?? */
+ data += 8;
+ break;
default :
- g_warning ("Unknown oper type 0x%x in a CRN record", (int)*data);
- data++;
+ g_warning ("Unknown oper type 0x%x in a CRN record", (guint)oper);
v = NULL;
}
@@ -4935,7 +4983,7 @@ excel_read_HLINK (BiffQuery *q, ExcelRea
if ((options & 0x14) == 0x14) {
len = GSF_LE_GET_GUINT32 (data);
data += 4;
- g_return_if_fail (data + len*2 - q->data <= (int)q->length);
+ XL_NEED_ITEMS (len, 2);
label = read_utf16_str (len, data);
data += len*2;
}
@@ -4944,7 +4992,7 @@ excel_read_HLINK (BiffQuery *q, ExcelRea
if (options & 0x80) {
len = GSF_LE_GET_GUINT32 (data);
data += 4;
- g_return_if_fail (len*2 + data - q->data <= (int)q->length);
+ XL_NEED_ITEMS (len, 2);
target = read_utf16_str (len, data);
data += len*2;
}
@@ -4955,7 +5003,7 @@ excel_read_HLINK (BiffQuery *q, ExcelRea
data += sizeof (url_guid);
len = GSF_LE_GET_GUINT32 (data);
data += 4;
- g_return_if_fail (len + data - q->data <= (int)q->length);
+ XL_NEED_BYTES (len);
url = read_utf16_str (len/2, data);
link = g_object_new (gnm_hlink_url_get_type (), NULL);
@@ -4971,7 +5019,7 @@ excel_read_HLINK (BiffQuery *q, ExcelRea
gsf_mem_dump (data, q->length - (data - q->data));
- g_return_if_fail (len + data - q->data <= (int)q->length);
+ XL_NEED_BYTES (len);
data += len;
} else if ((options & 0x1e3) == 0x103) {
@@ -4988,7 +5036,7 @@ excel_read_HLINK (BiffQuery *q, ExcelRea
if (options & 0x8) {
len = GSF_LE_GET_GUINT32 (data);
data += 4;
- g_return_if_fail (len*2 + data - q->data <= (int)q->length);
+ XL_NEED_ITEMS (len, 2);
target = read_utf16_str (len, data);
data += len*2;
}
Index: gnumeric.spec
===================================================================
RCS file: /cvs/extras/rpms/gnumeric/F-8/gnumeric.spec,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -r1.34 -r1.35
--- gnumeric.spec 15 Nov 2007 21:56:05 -0000 1.34
+++ gnumeric.spec 4 Feb 2008 15:18:21 -0000 1.35
@@ -1,7 +1,7 @@
Name: gnumeric
Epoch: 1
Version: 1.6.3
-Release: 13%{?dist}
+Release: 14%{?dist}
Summary: Spreadsheet program for GNOME
Group: Applications/Productivity
# bug filed upstream about this being GPL v2 only:
@@ -15,6 +15,7 @@
Patch3: gnumeric-1.6.3-gda3.patch
Patch4: gnumeric-1.6.3-gpl-md5.patch
Patch5: gnumeric-1.6.3-stf-parse.patch
+Patch6: gnumeric-1.6.3-excel-overflow.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-root
BuildRequires: libgnomeui-devel >= 2.4.0
BuildRequires: libgnomeprintui22-devel >= 2.8.2
@@ -54,6 +55,7 @@
%patch3 -p1 -b .gda3
%patch4 -p1 -b .gpl-md5
%patch5 -p1 -b .csv
+%patch6 -p1 -b .excel
chmod -x plugins/excel/rc4.?
@@ -173,6 +175,9 @@
%changelog
+* Sun Feb 3 2008 Hans de Goede <j.w.r.degoede at hhs.nl> 1:1.6.3-14
+- Fix integer overflow and signedness errors in XLS processing (Bug 431229)
+
* Thu Nov 15 2007 Hans de Goede <j.w.r.degoede at hhs.nl> 1:1.6.3-13
- Fix opening of csv files in non-English locales (bz 385441)
- Previous message (by thread): rpms/taglib/devel taglib-1.5b1-multilib.patch, NONE, 1.1 .cvsignore, 1.8, 1.9 sources, 1.8, 1.9 taglib.spec, 1.25, 1.26 taglib-multilib.patch, 1.1, NONE
- Next message (by thread): rpms/openoffice.org/devel workspace.gcc430two.patch,1.5,1.6
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list