@@ -1067,8 +1067,13 @@ unsigned int row; unsigned int col; biff_cell_value *p_cell; + if (workbook == NULL) + return FREEXL_NULL_ARGUMENT; + if (workbook->active_sheet == NULL) + return FREEXL_NULL_ARGUMENT; + /* allocating the cell values array */ workbook->active_sheet->cell_values = malloc (sizeof (biff_cell_value) * (workbook->active_sheet->rows * @@ -1712,8 +1717,13 @@ if (swap) swap32 (&n_strings); p_string = workbook->record + 8; workbook->shared_strings.string_count = n_strings.value; + if (workbook->shared_strings.string_count > 1024 * 1024) + { + /* unexpected huge count ... cowardly giving up ... */ + return FREEXL_INSUFFICIENT_MEMORY; + } workbook->shared_strings.utf8_strings = malloc (sizeof (char **) * workbook->shared_strings.string_count); for (i_string = 0; i_string < workbook->shared_strings.string_count; i_string++) @@ -3748,8 +3758,10 @@ /* the current record spans on the following sector(s) */ unsigned int already_done; unsigned int chunk = workbook->sector_end - (workbook->p_in - workbook->sector_buf); + if (workbook->sector_end <= (workbook->p_in - workbook->sector_buf)) + return -1; memcpy (workbook->record, workbook->p_in, chunk); workbook->p_in += chunk; already_done = chunk; @@ -3823,8 +3835,12 @@ } /* saving the current record */ workbook->record_type = record_type.value; workbook->record_size = record_size.value; + + if ((workbook->p_in - workbook->fat->miniStream) + workbook->record_size > + (int) workbook->size) + return 0; /* unexpected EOF */ memcpy (workbook->record, workbook->p_in, workbook->record_size); workbook->p_in += record_size.value; @@ -4061,9 +4077,12 @@ p_sheet->rows += 1; p_sheet->columns += 1; ret = allocate_cells (workbook); if (ret != FREEXL_OK) - return ret; + { + errcode = ret; + goto stop; + } p_sheet->valid_dimension = 1; workbook->second_pass = 1; } else