Differences From Artifact [22c434256e]:

• File src/freexl.c — part of check-in [40c17539ea] at 2017-09-07 20:04:38 on branch trunk — fixing a security issue - Cisco TALOS-2017-430 and TALOS-2017-431 (user: sandro size: 121577)

To Artifact [7d9366ce45]:

• File src/freexl.c — part of check-in [1f00f424a2] at 2018-02-22 13:47:20 on branch trunk — fixing security issues - Red Hat Bugzilla – Bug 1547892 (user: sandro size: 122450)

  1797   1797   		    utf16 = 1;
  1798   1798   		if (!utf16)
  1799   1799   		  {
  1800   1800   		      /* 'stripped' UTF-16: requires padding */
  1801   1801   		      unsigned int i;
  1802   1802   		      for (i = 0; i < len; i++)
  1803   1803   			{
         1804  +			    if (p_string - workbook->record >=
         1805  +				workbook->record_size)
         1806  +			      {
         1807  +				  /* buffer overflow: it's a preasumable crafted file intended to crash FreeXL */
         1808  +				  return FREEXL_CRAFTED_FILE;
         1809  +			      }
  1804   1810   			    *(utf16_buf + (utf16_off * 2) + (i * 2)) =
  1805   1811   				*p_string;
  1806   1812   			    p_string++;
  1807   1813   			    *(utf16_buf + (utf16_off * 2) + ((i * 2) + 1)) =
  1808   1814   				0x00;
  1809   1815   			}
  1810   1816   		  }
................................................................................
  1908   1914   		      memcpy (utf16_buf, p_string, available);
  1909   1915   		      workbook->shared_strings.current_utf16_off =
  1910   1916   			  available / 2;
  1911   1917   		  }
  1912   1918   		return FREEXL_OK;
  1913   1919   	    }
  1914   1920   
         1921  +	  if (len <= 0)
         1922  +	    {
         1923  +		/* zero length - it's a preasumable crafted file intended to crash FreeXL */
         1924  +		return FREEXL_CRAFTED_FILE;
         1925  +	    }
  1915   1926   	  if (!parse_unicode_string
  1916   1927   	      (workbook->utf16_converter, len, utf16, p_string, &utf8_string))
  1917   1928   	      return FREEXL_INVALID_CHARACTER;
  1918   1929   
  1919   1930   	  /* skipping string data */
  1920   1931   	  if (!utf16)
  1921   1932   	      p_string += len;
................................................................................
  3066   3077   		return FREEXL_OK;
  3067   3078   	    }
  3068   3079   
  3069   3080   	  memcpy (offset.bytes, workbook->record, 4);
  3070   3081   	  if (swap)
  3071   3082   	      swap32 (&offset);
  3072   3083   	  len = workbook->record[6];
         3084  +	  if (len <= 0)
         3085  +	    {
         3086  +		/* zero length - it's a preasumable crafted file intended to crash FreeXL */
         3087  +		return FREEXL_CRAFTED_FILE;
         3088  +	    }
  3073   3089   	  if (workbook->biff_version == FREEXL_BIFF_VER_5)
  3074   3090   	    {
  3075   3091   		/* BIFF5: codepage text */
  3076   3092   		memcpy (name, workbook->record + 7, len);
  3077   3093   		utf8_name =
  3078   3094   		    convert_to_utf8 (workbook->utf8_converter, name, len, &err);
  3079   3095   		if (err)
................................................................................
  3225   3241   		if (swap)
  3226   3242   		    swap16 (&word16);
  3227   3243   		len = word16.value;
  3228   3244   		p_string = workbook->record + 4;
  3229   3245   		get_unicode_params (p_string, swap, &start_offset, &utf16,
  3230   3246   				    &extra_skip);
  3231   3247   		p_string += start_offset;
         3248  +		if (len <= 0)
         3249  +		  {
         3250  +		      /* zero length - it's a preasumable crafted file intended to crash FreeXL */
         3251  +		      return FREEXL_CRAFTED_FILE;
         3252  +		  }
  3232   3253   		if (!parse_unicode_string
  3233   3254   		    (workbook->utf16_converter, len, utf16, p_string,
  3234   3255   		     &utf8_string))
  3235   3256   		    return FREEXL_INVALID_CHARACTER;
  3236   3257   		check_format (utf8_string, &is_date, &is_datetime, &is_time);
  3237   3258   		free (utf8_string);
  3238   3259   		if (is_date || is_datetime || is_time)
................................................................................
  3619   3640   		/* please note: this always is UTF-16 [BIFF8] */
  3620   3641   		int utf16 = 0;
  3621   3642   		unsigned int start_offset;
  3622   3643   		unsigned int extra_skip;
  3623   3644   		get_unicode_params (p_string, swap, &start_offset, &utf16,
  3624   3645   				    &extra_skip);
  3625   3646   		p_string += start_offset;
         3647  +		if (len <= 0)
         3648  +		  {
         3649  +		      /* zero length - it's a preasumable crafted file intended to crash FreeXL */
         3650  +		      return FREEXL_CRAFTED_FILE;
         3651  +		  }
  3626   3652   		if (!parse_unicode_string
  3627   3653   		    (workbook->utf16_converter, len, utf16, p_string,
  3628   3654   		     &utf8_string))
  3629   3655   		    return FREEXL_INVALID_CHARACTER;
  3630   3656   	    }
  3631   3657   	  ret = set_text_value (workbook, row, col, utf8_string);
  3632   3658   	  if (ret != FREEXL_OK)
................................................................................
  3901   3927   	  swap16 (&record_type);
  3902   3928   	  swap16 (&record_size);
  3903   3929         }
  3904   3930   /* saving the current record */
  3905   3931       workbook->record_type = record_type.value;
  3906   3932       workbook->record_size = record_size.value;
  3907   3933   
         3934  +    if (workbook->record_size >= 8192)
         3935  +	return 0;		/* malformed or crafted file */
         3936  +
  3908   3937       if ((workbook->p_in - workbook->fat->miniStream) + workbook->record_size >
  3909   3938   	(int) workbook->size)
  3910   3939   	return 0;		/* unexpected EOF */
  3911   3940   
  3912   3941       memcpy (workbook->record, workbook->p_in, workbook->record_size);
  3913   3942       workbook->p_in += record_size.value;
  3914   3943