File gnumeric-CVE-2013-6836.patch of Package gnumeric.openSUSE_13.1_Update

From b5480b69345b3c6d56ee0ed9c9e9880bb2a08cdc Mon Sep 17 00:00:00 2001
From: Morten Welinder <terra@gnome.org>
Date: Wed, 20 Nov 2013 23:49:14 +0000
Subject: xls: fuzzed file crash.

---
diff --git a/plugins/excel/boot.c b/plugins/excel/boot.c
index 48a616a..e4251e2 100644
--- a/plugins/excel/boot.c
+++ b/plugins/excel/boot.c
@@ -60,7 +60,7 @@ GNM_PLUGIN_MODULE_HEADER;
  */
 gint ms_excel_read_debug = 0;
 gint ms_excel_pivot_debug = 0;
-gint ms_excel_escher_debug = 0;
+gint ms_excel_escher_debug = 9;
 gint ms_excel_formula_debug = 0;
 gint ms_excel_chart_debug = 0;
 gint ms_excel_write_debug = 0;
diff --git a/plugins/excel/ms-escher.c b/plugins/excel/ms-escher.c
index 9e91b6e..298fd87 100644
--- a/plugins/excel/ms-escher.c
+++ b/plugins/excel/ms-escher.c
@@ -236,11 +236,14 @@ ms_escher_get_data (MSEscherState *state,
 		int len = q->length - (res - q->data);
 		int counter = 0;
 
-		d (1, g_printerr ("MERGE needed (%d) which is >= %d + %d;\n",
+		d (1, g_printerr ("MERGE needed (%d) which is >= -%d + %d;\n",
 			      num_bytes, offset, state->end_offset););
 
 		do {
+			int maxlen = (buffer + num_bytes) - tmp;
+			len = MIN (len, maxlen);
 			d (1, g_printerr ("record %d) add %d bytes;\n", ++counter, len););
+
 			/* copy necessary portion of current record */
 			memcpy (tmp, res, len);
 			tmp += len;
@@ -257,7 +260,8 @@ ms_escher_get_data (MSEscherState *state,
 			    q->opcode != BIFF_MS_O_DRAWING_SELECTION &&
 			    q->opcode != BIFF_CHART_gelframe &&
 			    q->opcode != BIFF_CONTINUE) {
-			  g_warning ("Unexpected record type 0x%x @ 0x%lx;", q->opcode, (long)q->streamPos);
+				g_warning ("Unexpected record type 0x%x @ 0x%lx;", q->opcode, (long)q->streamPos);
+				g_free (buffer);
 				return NULL;
 			}
 
--
cgit v0.9.2