Diff
Not logged in

Differences From Artifact [2e167b3374]:

To Artifact [61618ce51a]:


  1064   1064   allocate_cells (biff_workbook * workbook)
  1065   1065   {
  1066   1066   /* allocating the rows and cells for the active Worksheet */
  1067   1067       unsigned int row;
  1068   1068       unsigned int col;
  1069   1069       biff_cell_value *p_cell;
  1070   1070   
         1071  +    if (workbook == NULL)
         1072  +	return FREEXL_NULL_ARGUMENT;
         1073  +    if (workbook->active_sheet == NULL)
         1074  +	return FREEXL_NULL_ARGUMENT;
         1075  +
  1071   1076   /* allocating the cell values array */
  1072   1077       workbook->active_sheet->cell_values =
  1073   1078   	malloc (sizeof (biff_cell_value) *
  1074   1079   		(workbook->active_sheet->rows *
  1075   1080   		 workbook->active_sheet->columns));
  1076   1081       if (workbook->active_sheet->cell_values == NULL)
  1077   1082   	return FREEXL_INSUFFICIENT_MEMORY;
................................................................................
  1709   1714         {
  1710   1715   	  /* main SST record [initializing] */
  1711   1716   	  memcpy (n_strings.bytes, workbook->record + 4, 4);
  1712   1717   	  if (swap)
  1713   1718   	      swap32 (&n_strings);
  1714   1719   	  p_string = workbook->record + 8;
  1715   1720   	  workbook->shared_strings.string_count = n_strings.value;
         1721  +	  if (workbook->shared_strings.string_count > 1024 * 1024)
         1722  +	    {
         1723  +		/* unexpected huge count ... cowardly giving up ... */
         1724  +		return FREEXL_INSUFFICIENT_MEMORY;
         1725  +	    }
  1716   1726   	  workbook->shared_strings.utf8_strings =
  1717   1727   	      malloc (sizeof (char **) * workbook->shared_strings.string_count);
  1718   1728   	  for (i_string = 0; i_string < workbook->shared_strings.string_count;
  1719   1729   	       i_string++)
  1720   1730   	      *(workbook->shared_strings.utf8_strings + i_string) = NULL;
  1721   1731         }
  1722   1732       else
................................................................................
  3745   3755       if (((workbook->p_in + workbook->record_size) - workbook->sector_buf) >
  3746   3756   	workbook->sector_end)
  3747   3757         {
  3748   3758   	  /* the current record spans on the following sector(s) */
  3749   3759   	  unsigned int already_done;
  3750   3760   	  unsigned int chunk =
  3751   3761   	      workbook->sector_end - (workbook->p_in - workbook->sector_buf);
         3762  +	  if (workbook->sector_end <= (workbook->p_in - workbook->sector_buf))
         3763  +	      return -1;
  3752   3764   	  memcpy (workbook->record, workbook->p_in, chunk);
  3753   3765   	  workbook->p_in += chunk;
  3754   3766   	  already_done = chunk;
  3755   3767   
  3756   3768   	  while (already_done < workbook->record_size)
  3757   3769   	    {
  3758   3770   		/* reading a further sector */
................................................................................
  3820   3832   	  /* BIG endian arch: swap required */
  3821   3833   	  swap16 (&record_type);
  3822   3834   	  swap16 (&record_size);
  3823   3835         }
  3824   3836   /* saving the current record */
  3825   3837       workbook->record_type = record_type.value;
  3826   3838       workbook->record_size = record_size.value;
         3839  +
         3840  +    if ((workbook->p_in - workbook->fat->miniStream) + workbook->record_size >
         3841  +	(int) workbook->size)
         3842  +	return 0;		/* unexpected EOF */
  3827   3843   
  3828   3844       memcpy (workbook->record, workbook->p_in, workbook->record_size);
  3829   3845       workbook->p_in += record_size.value;
  3830   3846   
  3831   3847       ret = parse_biff_record (workbook, swap);
  3832   3848       if (ret != FREEXL_OK)
  3833   3849   	return 0;
................................................................................
  4058   4074   	    {
  4059   4075   		/* setting Sheet dimensions */
  4060   4076   		int ret;
  4061   4077   		p_sheet->rows += 1;
  4062   4078   		p_sheet->columns += 1;
  4063   4079   		ret = allocate_cells (workbook);
  4064   4080   		if (ret != FREEXL_OK)
  4065         -		    return ret;
         4081  +		  {
         4082  +		      errcode = ret;
         4083  +		      goto stop;
         4084  +		  }
  4066   4085   		p_sheet->valid_dimension = 1;
  4067   4086   		workbook->second_pass = 1;
  4068   4087   	    }
  4069   4088   	  else
  4070   4089   	      p_sheet->already_done = 1;
  4071   4090   	  p_sheet = p_sheet->next;
  4072   4091         }