Differences From Artifact [2e167b3374]:
- File src/freexl.c — part of check-in [4d12353be9] at 2012-12-21 12:07:45 on branch trunk — fixing the build process on MSVC (makefile.vc and config-msvc.h) (user: sandro size: 118532)
To Artifact [61618ce51a]:
- File src/freexl.c — part of check-in [3df5ca3036] at 2015-03-05 17:28:17 on branch trunk — fixing four critical bugs identified by American Fuzzy Lop (user: sandro size: 119089)
1064 1064 allocate_cells (biff_workbook * workbook) 1065 1065 { 1066 1066 /* allocating the rows and cells for the active Worksheet */ 1067 1067 unsigned int row; 1068 1068 unsigned int col; 1069 1069 biff_cell_value *p_cell; 1070 1070 1071 + if (workbook == NULL) 1072 + return FREEXL_NULL_ARGUMENT; 1073 + if (workbook->active_sheet == NULL) 1074 + return FREEXL_NULL_ARGUMENT; 1075 + 1071 1076 /* allocating the cell values array */ 1072 1077 workbook->active_sheet->cell_values = 1073 1078 malloc (sizeof (biff_cell_value) * 1074 1079 (workbook->active_sheet->rows * 1075 1080 workbook->active_sheet->columns)); 1076 1081 if (workbook->active_sheet->cell_values == NULL) 1077 1082 return FREEXL_INSUFFICIENT_MEMORY; ................................................................................ 1709 1714 { 1710 1715 /* main SST record [initializing] */ 1711 1716 memcpy (n_strings.bytes, workbook->record + 4, 4); 1712 1717 if (swap) 1713 1718 swap32 (&n_strings); 1714 1719 p_string = workbook->record + 8; 1715 1720 workbook->shared_strings.string_count = n_strings.value; 1721 + if (workbook->shared_strings.string_count > 1024 * 1024) 1722 + { 1723 + /* unexpected huge count ... cowardly giving up ... */ 1724 + return FREEXL_INSUFFICIENT_MEMORY; 1725 + } 1716 1726 workbook->shared_strings.utf8_strings = 1717 1727 malloc (sizeof (char **) * workbook->shared_strings.string_count); 1718 1728 for (i_string = 0; i_string < workbook->shared_strings.string_count; 1719 1729 i_string++) 1720 1730 *(workbook->shared_strings.utf8_strings + i_string) = NULL; 1721 1731 } 1722 1732 else ................................................................................ 3745 3755 if (((workbook->p_in + workbook->record_size) - workbook->sector_buf) > 3746 3756 workbook->sector_end) 3747 3757 { 3748 3758 /* the current record spans on the following sector(s) */ 3749 3759 unsigned int already_done; 3750 3760 unsigned int chunk = 3751 3761 workbook->sector_end - (workbook->p_in - workbook->sector_buf); 3762 + if (workbook->sector_end <= (workbook->p_in - workbook->sector_buf)) 3763 + return -1; 3752 3764 memcpy (workbook->record, workbook->p_in, chunk); 3753 3765 workbook->p_in += chunk; 3754 3766 already_done = chunk; 3755 3767 3756 3768 while (already_done < workbook->record_size) 3757 3769 { 3758 3770 /* reading a further sector */ ................................................................................ 3820 3832 /* BIG endian arch: swap required */ 3821 3833 swap16 (&record_type); 3822 3834 swap16 (&record_size); 3823 3835 } 3824 3836 /* saving the current record */ 3825 3837 workbook->record_type = record_type.value; 3826 3838 workbook->record_size = record_size.value; 3839 + 3840 + if ((workbook->p_in - workbook->fat->miniStream) + workbook->record_size > 3841 + (int) workbook->size) 3842 + return 0; /* unexpected EOF */ 3827 3843 3828 3844 memcpy (workbook->record, workbook->p_in, workbook->record_size); 3829 3845 workbook->p_in += record_size.value; 3830 3846 3831 3847 ret = parse_biff_record (workbook, swap); 3832 3848 if (ret != FREEXL_OK) 3833 3849 return 0; ................................................................................ 4058 4074 { 4059 4075 /* setting Sheet dimensions */ 4060 4076 int ret; 4061 4077 p_sheet->rows += 1; 4062 4078 p_sheet->columns += 1; 4063 4079 ret = allocate_cells (workbook); 4064 4080 if (ret != FREEXL_OK) 4065 - return ret; 4081 + { 4082 + errcode = ret; 4083 + goto stop; 4084 + } 4066 4085 p_sheet->valid_dimension = 1; 4067 4086 workbook->second_pass = 1; 4068 4087 } 4069 4088 else 4070 4089 p_sheet->already_done = 1; 4071 4090 p_sheet = p_sheet->next; 4072 4091 }