After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 524925 - Swapped formula bounds checks in excel_parse_formula1()
Swapped formula bounds checks in excel_parse_formula1()
Status: RESOLVED DUPLICATE of bug 524926
Product: Gnumeric
Classification: Applications
Component: import/export MS Excel (tm)
git master
Other All
: Normal normal
: ---
Assigned To: Rodney Dawes
Rodney Dawes
Depends on:
Blocks:
 
 
Reported: 2008-03-29 08:53 UTC by Devin Carraway
Modified: 2008-03-29 09:00 UTC
See Also:
GNOME target: ---
GNOME version: 2.21/2.22


Description Devin Carraway 2008-03-29 08:53:16 UTC 
Please describe the problem:
The current SVN version of plugins/excel/ms-formula-read.c, in excel_parse_formula1(), contains two bounds checks preceeding a read from an excel file:

                case FORMULA_PTG_EXPR: {
                        GnmExpr const *expr;
                        XLSharedFormula *sf;
                        GnmCellPos top_left;

                        if (ver >= MS_BIFF_V3) {
                                CHECK_FORMULA_LEN(3);
                                top_left.col = GSF_LE_GET_GUINT16 (cur+2);
                        } else {
                                CHECK_FORMULA_LEN(4);
                                top_left.col = GSF_LE_GET_GUINT8 (cur+2);
                        }
                        top_left.row = GSF_LE_GET_GUINT16 (cur+0);
                        sf = excel_sheet_shared_formula (esheet, &top_left);

... it looks to me as if the values passed to the CHECK_FORMULA_LEN() are reversed; the first case intends to read 2 bytes from offset 2, the second one byte.

Steps to reproduce:
1. check out code
2. open editor
3. read


Actual results:


Expected results:


Does this happen every time?


Other information:
Comment 1 Devin Carraway 2008-03-29 09:00:16 UTC 

*** This bug has been marked as a duplicate of 524926 ***