Jody: please have a look at this.  It seems like q->length is in bytes
while we assume it to be in characters in ms_read_TXO.


--- ms-obj.c.~1.144.~	2006-03-30 15:43:30.000000000 -0500
+++ ms-obj.c	2006-05-01 12:12:12.617803000 -0400
@@ -392,25 +392,29 @@
 
 	if (ms_biff_query_peek_next (q, &op) && op == BIFF_CONTINUE) {
 		gboolean use_utf16;
+		guint maxlen;
 
 		ms_biff_query_next (q);
 
 		use_utf16 = q->data[0] != 0;
+		maxlen = use_utf16 ? q->length / 2 : q->length-1;
+		g_print ("maxlen=%d\n", maxlen);
 		text = excel_get_chars (c->importer,
-			q->data + 1, MIN (text_len, q->length-1), use_utf16);
-		if (q->length < text_len) {
+			q->data + 1, MIN (text_len, maxlen), use_utf16);
+		if (maxlen < text_len) {
 			GString *accum = g_string_new (text);
 			g_free (text);
-			text_len -= q->length - 1;
+			text_len -= maxlen;
 			while (ms_biff_query_peek_next (q, &op) && op == BIFF_CONTINUE) {
 				ms_biff_query_next (q);
 				text = excel_get_chars (c->importer, q->data,
 					MIN (q->length, text_len), use_utf16);
 				g_string_append (accum, text);
 				g_free (text);
-				if (text_len <= q->length)
+				maxlen = use_utf16 ? q->length / 2 : q->length;
+				if (text_len <= maxlen)
 					break;
-				text_len -= q->length;
+				text_len -= maxlen;
 			}
 			text = g_string_free (accum, FALSE);
 		}

No crash in CVS, but lots of "excel_font_get: assertion `fd != NULL' failed".
Sheet looks reasonable to me, but who am I to know?

I'm seeing the crash now. It goes away with gmorten's patch, but things are still not right. The text becomes garbage from the start of the second bold text. We get the warning
"Unusual, TXO text with no formatting has 0x23e @ 0x249db"

The text switches from UTF-16 to single byte characters in mid-flight. Like this:

    1ff0 | 00 6c 00 64 00 20 00 62 00 6c 00 75 00 65 00 20 | .l.d...b.l.u.e..
    2000 | 00 63 00 65 00 6c 00 6c 00 73 00 20 00 69 00 6e | .c.e.l.l.s...i.n
    2010 | 00 20 00 74 00 68 00 65 00 20 00 74 00 61 00 XX | ...t.h.e...t.a.*
Opcode 0x 3c :        CONTINUE, length 0x2a3 (=675)
       0 | 00 62 6c 65 2e 20 4e 42 21 20 49 20 66 69 6e 64 | .ble..NB!.I.find
      10 | 20 74 68 61 74 20 74 68 65 20 62 6c 75 65 20 28 | .that.the.blue.(
      20 | 54 43 50 32 29 20 76 61 6c 75 65 73 20 6d 61 74 | TCP2).values.mat

Fixed in the development version. The fix will be available in the next major release. Thank you for your bug report.