After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 524926 - Swapped bounds checks in excel_parse_formula1()
Swapped bounds checks in excel_parse_formula1()
Status: RESOLVED FIXED
Product: Gnumeric
Classification: Applications
Component: import/export MS Excel (tm)
git master
Other All
: Normal normal
: ---
Assigned To: Jody Goldberg
Jody Goldberg
: 524925 (view as bug list)
Depends on:
Blocks:
 
 
Reported: 2008-03-29 08:59 UTC by Devin Carraway
Modified: 2008-03-29 13:05 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Devin Carraway 2008-03-29 08:59:13 UTC 
Please describe the problem:
The current SVN version of plugins/excel/ms-formula-read.c, in
excel_parse_formula1(), contains two bounds checks preceeding a read from an
excel file:

                case FORMULA_PTG_EXPR: {
                        GnmExpr const *expr;
                        XLSharedFormula *sf;
                        GnmCellPos top_left;

                        if (ver >= MS_BIFF_V3) {
                                CHECK_FORMULA_LEN(3);
                                top_left.col = GSF_LE_GET_GUINT16 (cur+2);
                        } else {
                                CHECK_FORMULA_LEN(4);
                                top_left.col = GSF_LE_GET_GUINT8 (cur+2);
                        }
                        top_left.row = GSF_LE_GET_GUINT16 (cur+0);
                        sf = excel_sheet_shared_formula (esheet, &top_left);

... it looks to me as if the values passed to the CHECK_FORMULA_LEN() are
reversed; the first case intends to read 2 bytes from offset 2, the second one
byte.

Re-filing bug under proper product this time.

Steps to reproduce:
1. check out code
2. open editor
3. read


Actual results:


Expected results:


Does this happen every time?


Other information:
Comment 1 Devin Carraway 2008-03-29 09:00:16 UTC 
*** Bug 524925 has been marked as a duplicate of this bug. ***
Comment 2 Devin Carraway 2008-03-29 09:02:08 UTC 
There's also a matching swap in the FORMULA_PTG_TBL case just below this one.
Comment 3 Morten Welinder 2008-03-29 13:05:16 UTC 
This problem has been fixed in our software repository. The fix will go into the next software release. Thank you for your bug report.