1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
From: Ali Rizvi-Santiago <arizvisa@gmail.com>
Date: Fri, 11 Apr 2025 12:08:44 -0500
Subject: Added a guard against a product overflow when processing "SST"
records from the "Workbook" stream.
---
src/xlsparse.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/src/xlsparse.c b/src/xlsparse.c
index 53fc21c..c44ac89 100644
--- a/src/xlsparse.c
+++ b/src/xlsparse.c
@@ -10,6 +10,8 @@
#endif
#include <stdlib.h>
#include <string.h>
+#include <limits.h>
+#include <errno.h>
#include "xls.h"
#include "catdoc.h"
#include "xltypes.h"
@@ -772,13 +774,21 @@ void parse_sst(unsigned char *sstbuf,int bufsize) {
unsigned char *barrier=(unsigned char *)sstbuf+bufsize; /*pointer to end of buffer*/
unsigned char **parsedString;/*pointer into parsed array*/
- sstsize = getlong(sstbuf+4,0);
+ sstsize = getlong(sstbuf+4,0); // int
+
+ // Guard the next allocation against a product overflow.
+ if (!(sstsize < INT_MAX / sizeof(unsigned char*))) {
+ errno = EOVERFLOW;
+ perror("SST size error");
+ exit(1);
+ }
+
sst=(unsigned char **)malloc(sstsize*sizeof(unsigned char *));
-
if (sst == NULL) {
perror("SST allocation error");
exit(1);
}
+
memset(sst,0,sstsize*sizeof(char *));
for (i=0,parsedString=sst,curString=sstbuf+8;
i<sstsize && curString<barrier; i++,parsedString++) {
|
