FreeXL 1.0.5 - multiple heap-buffer-overflows
Dear Security & LTS Teams,
FreeXL 1.0.5 was released yesterday, it fixes various heap-buffer-overflows:
- heap-buffer-overflow in freexl::destroy_cell of FreeXL 1.0.4
https://bugzilla.redhat.com/show_bug.cgi?id=1547879
- heap-buffer-overflow in freexl.c:1805 parse_SST parse_SST
https://bugzilla.redhat.com/show_bug.cgi?id=1547883
- heap-buffer-overflow in freexl.c:1866 parse_SST of FreeXL 1.0.4
https://bugzilla.redhat.com/show_bug.cgi?id=1547885
- heap-buffer-overflow in freexl.c:383 parse_unicode_string of FreeXL
1.0.4
https://bugzilla.redhat.com/show_bug.cgi?id=1547889
- heap-buffer-overflow in freexl.c:3912 read_mini_biff_next_record of
FreeXL 1.0.4
https://bugzilla.redhat.com/show_bug.cgi?id=1547892
>From the release announcement:
"
Few more vulnerabilities affecting FreeXL have been recently
discovered; for more details please check Red Hat Bugzilla
Bug 1547879
all reported vulnerabilities are never expected to be encountered
when reading valid XLS files, and can only affect purposely crafted
files intended to maliciously trigger some nasty security breach.
the new patched version (FreeXL-1.0.5) sanes any known security
issue.
[1] http://www.gaia-gis.it/gaia-sins/freexl-1.0.5.tar.gz
[2] http://www.gaia-gis.it/gaia-sins/freexl-1.0.5.zip
developers and system packagers are warmly invited to quickly
adopt FreeXL-1.0.5
note
========
a new error code (FREEXL_CRAFTED_FILE) has been added to FreeXL,
and it will be returned when a supposed XLS document contains
"impossible values" (not compatible with the XLS specifications),
thus leading to a legitimate suspect of a purposely crafted file.
"
https://groups.google.com/d/topic/spatialite-users/ddE78iVT5b4/discussion
I've uploaded freexl (1.0.5-1) to unstable yesterday, and I've
backported the fix to freexl (1.0.2-2+deb9u2), freexl (1.0.0g-1+deb8u5)
& freexl (1.0.0b-1+deb7u5) for stretch, jessie & wheezy respectively.
The changes are available in git:
http://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=stretch
http://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=jessie
http://anonscm.debian.org/cgit/pkg-grass/freexl.git/log/?h=wheezy
Are these OK to upload?
Kind Regards,
Bas
diff -Nru freexl-1.0.0b/debian/changelog freexl-1.0.0b/debian/changelog
--- freexl-1.0.0b/debian/changelog 2017-09-16 23:26:04.000000000 +0200
+++ freexl-1.0.0b/debian/changelog 2018-02-23 11:04:45.000000000 +0100
@@ -1,3 +1,21 @@
+freexl (1.0.0b-1+deb7u5) wheezy-security; urgency=high
+
+ * Add upstream patch to fix various heap-buffer-overflows.
+ - heap-buffer-overflow in freexl::destroy_cell of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547879
+ - heap-buffer-overflow in freexl.c:1805 parse_SST parse_SST
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547883
+ - heap-buffer-overflow in freexl.c:1866 parse_SST of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547885
+ - heap-buffer-overflow in freexl.c:383 parse_unicode_string of FreeXL
+ 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547889
+ - heap-buffer-overflow in freexl.c:3912 read_mini_biff_next_record of
+ FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547892
+
+ -- Bas Couwenberg <sebastic@debian.org> Fri, 23 Feb 2018 11:04:45 +0100
+
freexl (1.0.0b-1+deb7u4) wheezy-security; urgency=high
* Add upstream patch to fix CVE-2017-2923 & CVE-2017-2924.
diff -Nru freexl-1.0.0b/debian/patches/security-fixes-1.0.5.patch freexl-1.0.0b/debian/patches/security-fixes-1.0.5.patch
--- freexl-1.0.0b/debian/patches/security-fixes-1.0.5.patch 1970-01-01 01:00:00.000000000 +0100
+++ freexl-1.0.0b/debian/patches/security-fixes-1.0.5.patch 2018-02-23 11:04:45.000000000 +0100
@@ -0,0 +1,122 @@
+Description: Security fixes from FreeXL 1.0.5.
+ heap-buffer-overflow in freexl::destroy_cell of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547879
+ .
+ heap-buffer-overflow in freexl.c:1805 parse_SST parse_SST
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547883
+ .
+ heap-buffer-overflow in freexl.c:1866 parse_SST of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547885
+ .
+ heap-buffer-overflow in freexl.c:383 parse_unicode_string of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547889
+ .
+ heap-buffer-overflow in freexl.c:3912 read_mini_biff_next_record of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547892
+ .
+ Reported upstream in:
+ https://groups.google.com/d/topic/spatialite-users/b-d9iB5TDPE/discussion
+Author: Alessandro Furieri <a.furieri@lqt.it>
+Origin: https://www.gaia-gis.it/fossil/freexl/ci/1f00f424a24b355e?sbs=0
+ https://www.gaia-gis.it/fossil/freexl/ci/97c9f43cea4fcd54?sbs=0
+ https://www.gaia-gis.it/fossil/freexl/ci/9907dcec7fc34a91?sbs=0
+
+--- a/headers/freexl.h
++++ b/headers/freexl.h
+@@ -292,6 +292,11 @@ extern "C"
+ #define FREEXL_CFBF_ILLEGAL_MINI_FAT_ENTRY -25 /**< The MiniFAT stream
+ contains an invalid entry.
+ Possibly a corrupt file. */
++#define FREEXL_CRAFTED_FILE -26 /**< A severely corrupted file
++ (may be purposely crafted for
++ malicious purposes) has been
++ detected. */
++
+
+ /**
+ Container for a cell value
+--- a/src/freexl.c
++++ b/src/freexl.c
+@@ -1092,6 +1092,11 @@ allocate_cells (biff_workbook * workbook
+ return FREEXL_INSUFFICIENT_MEMORY;
+
+ /* allocating the cell values array */
++ if (workbook->active_sheet->rows * workbook->active_sheet->columns <= 0)
++ {
++ workbook->active_sheet->cell_values = NULL;
++ return FREEXL_OK;
++ }
+ workbook->active_sheet->cell_values =
+ malloc (sizeof (biff_cell_value) *
+ (workbook->active_sheet->rows *
+@@ -1782,6 +1787,12 @@ parse_SST (biff_workbook * workbook, int
+ unsigned int i;
+ for (i = 0; i < len; i++)
+ {
++ if (p_string - workbook->record >=
++ workbook->record_size)
++ {
++ /* buffer overflow: it's a preasumable crafted file intended to crash FreeXL */
++ return FREEXL_CRAFTED_FILE;
++ }
+ *(utf16_buf + (utf16_off * 2) + (i * 2)) =
+ *p_string;
+ p_string++;
+@@ -1882,6 +1893,11 @@ parse_SST (biff_workbook * workbook, int
+ return FREEXL_OK;
+ }
+
++ if (len <= 0)
++ {
++ /* zero length - it's a preasumable crafted file intended to crash FreeXL */
++ return FREEXL_CRAFTED_FILE;
++ }
+ if (!parse_unicode_string
+ (workbook->utf16_converter, len, utf16, p_string, &utf8_string))
+ return FREEXL_INVALID_CHARACTER;
+@@ -2960,6 +2976,11 @@ parse_biff_record (biff_workbook * workb
+ if (swap)
+ swap32 (&offset);
+ len = workbook->record[6];
++ if (len <= 0)
++ {
++ /* zero length - it's a preasumable crafted file intended to crash FreeXL */
++ return FREEXL_CRAFTED_FILE;
++ }
+ if (workbook->biff_version == FREEXL_BIFF_VER_5)
+ {
+ /* BIFF5: codepage text */
+@@ -3119,6 +3140,11 @@ parse_biff_record (biff_workbook * workb
+ get_unicode_params (p_string, swap, &start_offset, &utf16,
+ &extra_skip);
+ p_string += start_offset;
++ if (len <= 0)
++ {
++ /* zero length - it's a preasumable crafted file intended to crash FreeXL */
++ return FREEXL_CRAFTED_FILE;
++ }
+ if (!parse_unicode_string
+ (workbook->utf16_converter, len, utf16, p_string,
+ &utf8_string))
+@@ -3479,6 +3505,11 @@ parse_biff_record (biff_workbook * workb
+ get_unicode_params (p_string, swap, &start_offset, &utf16,
+ &extra_skip);
+ p_string += start_offset;
++ if (len <= 0)
++ {
++ /* zero length - it's a preasumable crafted file intended to crash FreeXL */
++ return FREEXL_CRAFTED_FILE;
++ }
+ if (!parse_unicode_string
+ (workbook->utf16_converter, len, utf16, p_string,
+ &utf8_string))
+@@ -3761,6 +3792,9 @@ read_mini_biff_next_record (biff_workboo
+ workbook->record_type = record_type.value;
+ workbook->record_size = record_size.value;
+
++ if (workbook->record_size >= 8192)
++ return 0; /* malformed or crafted file */
++
+ if ((workbook->p_in - workbook->fat->miniStream) + workbook->record_size >
+ (int) workbook->size)
+ return 0; /* unexpected EOF */
diff -Nru freexl-1.0.0b/debian/patches/series freexl-1.0.0b/debian/patches/series
--- freexl-1.0.0b/debian/patches/series 2017-09-16 23:26:04.000000000 +0200
+++ freexl-1.0.0b/debian/patches/series 2018-02-23 11:04:45.000000000 +0100
@@ -2,3 +2,4 @@
32bit-multiplication-overflow.patch
afl-vulnerabilitities-regression.patch
CVE-2017-2923_CVE-2017-2924.patch
+security-fixes-1.0.5.patch
diff -Nru freexl-1.0.0g/debian/changelog freexl-1.0.0g/debian/changelog
--- freexl-1.0.0g/debian/changelog 2017-09-16 23:26:04.000000000 +0200
+++ freexl-1.0.0g/debian/changelog 2018-02-23 11:03:17.000000000 +0100
@@ -1,3 +1,21 @@
+freexl (1.0.0g-1+deb8u5) jessie-security; urgency=high
+
+ * Add upstream patch to fix various heap-buffer-overflows.
+ - heap-buffer-overflow in freexl::destroy_cell of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547879
+ - heap-buffer-overflow in freexl.c:1805 parse_SST parse_SST
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547883
+ - heap-buffer-overflow in freexl.c:1866 parse_SST of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547885
+ - heap-buffer-overflow in freexl.c:383 parse_unicode_string of FreeXL
+ 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547889
+ - heap-buffer-overflow in freexl.c:3912 read_mini_biff_next_record of
+ FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547892
+
+ -- Bas Couwenberg <sebastic@debian.org> Fri, 23 Feb 2018 11:03:17 +0100
+
freexl (1.0.0g-1+deb8u4) jessie-security; urgency=high
* Add upstream patch to fix CVE-2017-2923 & CVE-2017-2924.
diff -Nru freexl-1.0.0g/debian/patches/security-fixes-1.0.5.patch freexl-1.0.0g/debian/patches/security-fixes-1.0.5.patch
--- freexl-1.0.0g/debian/patches/security-fixes-1.0.5.patch 1970-01-01 01:00:00.000000000 +0100
+++ freexl-1.0.0g/debian/patches/security-fixes-1.0.5.patch 2018-02-23 11:03:17.000000000 +0100
@@ -0,0 +1,122 @@
+Description: Security fixes from FreeXL 1.0.5.
+ heap-buffer-overflow in freexl::destroy_cell of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547879
+ .
+ heap-buffer-overflow in freexl.c:1805 parse_SST parse_SST
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547883
+ .
+ heap-buffer-overflow in freexl.c:1866 parse_SST of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547885
+ .
+ heap-buffer-overflow in freexl.c:383 parse_unicode_string of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547889
+ .
+ heap-buffer-overflow in freexl.c:3912 read_mini_biff_next_record of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547892
+ .
+ Reported upstream in:
+ https://groups.google.com/d/topic/spatialite-users/b-d9iB5TDPE/discussion
+Author: Alessandro Furieri <a.furieri@lqt.it>
+Origin: https://www.gaia-gis.it/fossil/freexl/ci/1f00f424a24b355e?sbs=0
+ https://www.gaia-gis.it/fossil/freexl/ci/97c9f43cea4fcd54?sbs=0
+ https://www.gaia-gis.it/fossil/freexl/ci/9907dcec7fc34a91?sbs=0
+
+--- a/headers/freexl.h
++++ b/headers/freexl.h
+@@ -292,6 +292,11 @@ extern "C"
+ #define FREEXL_CFBF_ILLEGAL_MINI_FAT_ENTRY -25 /**< The MiniFAT stream
+ contains an invalid entry.
+ Possibly a corrupt file. */
++#define FREEXL_CRAFTED_FILE -26 /**< A severely corrupted file
++ (may be purposely crafted for
++ malicious purposes) has been
++ detected. */
++
+
+ /**
+ Container for a cell value
+--- a/src/freexl.c
++++ b/src/freexl.c
+@@ -1098,6 +1098,11 @@ allocate_cells (biff_workbook * workbook
+ return FREEXL_INSUFFICIENT_MEMORY;
+
+ /* allocating the cell values array */
++ if (workbook->active_sheet->rows * workbook->active_sheet->columns <= 0)
++ {
++ workbook->active_sheet->cell_values = NULL;
++ return FREEXL_OK;
++ }
+ workbook->active_sheet->cell_values =
+ malloc (sizeof (biff_cell_value) *
+ (workbook->active_sheet->rows *
+@@ -1788,6 +1793,12 @@ parse_SST (biff_workbook * workbook, int
+ unsigned int i;
+ for (i = 0; i < len; i++)
+ {
++ if (p_string - workbook->record >=
++ workbook->record_size)
++ {
++ /* buffer overflow: it's a preasumable crafted file intended to crash FreeXL */
++ return FREEXL_CRAFTED_FILE;
++ }
+ *(utf16_buf + (utf16_off * 2) + (i * 2)) =
+ *p_string;
+ p_string++;
+@@ -1888,6 +1899,11 @@ parse_SST (biff_workbook * workbook, int
+ return FREEXL_OK;
+ }
+
++ if (len <= 0)
++ {
++ /* zero length - it's a preasumable crafted file intended to crash FreeXL */
++ return FREEXL_CRAFTED_FILE;
++ }
+ if (!parse_unicode_string
+ (workbook->utf16_converter, len, utf16, p_string, &utf8_string))
+ return FREEXL_INVALID_CHARACTER;
+@@ -3041,6 +3057,11 @@ parse_biff_record (biff_workbook * workb
+ if (swap)
+ swap32 (&offset);
+ len = workbook->record[6];
++ if (len <= 0)
++ {
++ /* zero length - it's a preasumable crafted file intended to crash FreeXL */
++ return FREEXL_CRAFTED_FILE;
++ }
+ if (workbook->biff_version == FREEXL_BIFF_VER_5)
+ {
+ /* BIFF5: codepage text */
+@@ -3200,6 +3221,11 @@ parse_biff_record (biff_workbook * workb
+ get_unicode_params (p_string, swap, &start_offset, &utf16,
+ &extra_skip);
+ p_string += start_offset;
++ if (len <= 0)
++ {
++ /* zero length - it's a preasumable crafted file intended to crash FreeXL */
++ return FREEXL_CRAFTED_FILE;
++ }
+ if (!parse_unicode_string
+ (workbook->utf16_converter, len, utf16, p_string,
+ &utf8_string))
+@@ -3594,6 +3620,11 @@ parse_biff_record (biff_workbook * workb
+ get_unicode_params (p_string, swap, &start_offset, &utf16,
+ &extra_skip);
+ p_string += start_offset;
++ if (len <= 0)
++ {
++ /* zero length - it's a preasumable crafted file intended to crash FreeXL */
++ return FREEXL_CRAFTED_FILE;
++ }
+ if (!parse_unicode_string
+ (workbook->utf16_converter, len, utf16, p_string,
+ &utf8_string))
+@@ -3876,6 +3907,9 @@ read_mini_biff_next_record (biff_workboo
+ workbook->record_type = record_type.value;
+ workbook->record_size = record_size.value;
+
++ if (workbook->record_size >= 8192)
++ return 0; /* malformed or crafted file */
++
+ if ((workbook->p_in - workbook->fat->miniStream) + workbook->record_size >
+ (int) workbook->size)
+ return 0; /* unexpected EOF */
diff -Nru freexl-1.0.0g/debian/patches/series freexl-1.0.0g/debian/patches/series
--- freexl-1.0.0g/debian/patches/series 2017-09-16 23:26:04.000000000 +0200
+++ freexl-1.0.0g/debian/patches/series 2018-02-23 11:03:17.000000000 +0100
@@ -2,3 +2,4 @@
32bit-multiplication-overflow.patch
afl-vulnerabilitities-regression.patch
CVE-2017-2923_CVE-2017-2924.patch
+security-fixes-1.0.5.patch
diff -Nru freexl-1.0.2/debian/changelog freexl-1.0.2/debian/changelog
--- freexl-1.0.2/debian/changelog 2017-09-16 23:19:22.000000000 +0200
+++ freexl-1.0.2/debian/changelog 2018-02-23 10:57:19.000000000 +0100
@@ -1,3 +1,21 @@
+freexl (1.0.2-2+deb9u2) stretch-security; urgency=high
+
+ * Add upstream patch to fix various heap-buffer-overflows.
+ - heap-buffer-overflow in freexl::destroy_cell of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547879
+ - heap-buffer-overflow in freexl.c:1805 parse_SST parse_SST
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547883
+ - heap-buffer-overflow in freexl.c:1866 parse_SST of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547885
+ - heap-buffer-overflow in freexl.c:383 parse_unicode_string of FreeXL
+ 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547889
+ - heap-buffer-overflow in freexl.c:3912 read_mini_biff_next_record of
+ FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547892
+
+ -- Bas Couwenberg <sebastic@debian.org> Fri, 23 Feb 2018 10:57:19 +0100
+
freexl (1.0.2-2+deb9u1) stretch-security; urgency=high
* Update branch in gbp.conf & Vcs-Git URL.
diff -Nru freexl-1.0.2/debian/patches/security-fixes-1.0.5.patch freexl-1.0.2/debian/patches/security-fixes-1.0.5.patch
--- freexl-1.0.2/debian/patches/security-fixes-1.0.5.patch 1970-01-01 01:00:00.000000000 +0100
+++ freexl-1.0.2/debian/patches/security-fixes-1.0.5.patch 2018-02-23 10:57:19.000000000 +0100
@@ -0,0 +1,122 @@
+Description: Security fixes from FreeXL 1.0.5.
+ heap-buffer-overflow in freexl::destroy_cell of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547879
+ .
+ heap-buffer-overflow in freexl.c:1805 parse_SST parse_SST
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547883
+ .
+ heap-buffer-overflow in freexl.c:1866 parse_SST of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547885
+ .
+ heap-buffer-overflow in freexl.c:383 parse_unicode_string of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547889
+ .
+ heap-buffer-overflow in freexl.c:3912 read_mini_biff_next_record of FreeXL 1.0.4
+ https://bugzilla.redhat.com/show_bug.cgi?id=1547892
+ .
+ Reported upstream in:
+ https://groups.google.com/d/topic/spatialite-users/b-d9iB5TDPE/discussion
+Author: Alessandro Furieri <a.furieri@lqt.it>
+Origin: https://www.gaia-gis.it/fossil/freexl/ci/1f00f424a24b355e?sbs=0
+ https://www.gaia-gis.it/fossil/freexl/ci/97c9f43cea4fcd54?sbs=0
+ https://www.gaia-gis.it/fossil/freexl/ci/9907dcec7fc34a91?sbs=0
+
+--- a/headers/freexl.h
++++ b/headers/freexl.h
+@@ -292,6 +292,11 @@ extern "C"
+ #define FREEXL_CFBF_ILLEGAL_MINI_FAT_ENTRY -25 /**< The MiniFAT stream
+ contains an invalid entry.
+ Possibly a corrupt file. */
++#define FREEXL_CRAFTED_FILE -26 /**< A severely corrupted file
++ (may be purposely crafted for
++ malicious purposes) has been
++ detected. */
++
+
+ /**
+ Container for a cell value
+--- a/src/freexl.c
++++ b/src/freexl.c
+@@ -1108,6 +1108,11 @@ allocate_cells (biff_workbook * workbook
+ return FREEXL_INSUFFICIENT_MEMORY;
+
+ /* allocating the cell values array */
++ if (workbook->active_sheet->rows * workbook->active_sheet->columns <= 0)
++ {
++ workbook->active_sheet->cell_values = NULL;
++ return FREEXL_OK;
++ }
+ workbook->active_sheet->cell_values =
+ malloc (sizeof (biff_cell_value) *
+ (workbook->active_sheet->rows *
+@@ -1798,6 +1803,12 @@ parse_SST (biff_workbook * workbook, int
+ unsigned int i;
+ for (i = 0; i < len; i++)
+ {
++ if (p_string - workbook->record >=
++ workbook->record_size)
++ {
++ /* buffer overflow: it's a preasumable crafted file intended to crash FreeXL */
++ return FREEXL_CRAFTED_FILE;
++ }
+ *(utf16_buf + (utf16_off * 2) + (i * 2)) =
+ *p_string;
+ p_string++;
+@@ -1898,6 +1909,11 @@ parse_SST (biff_workbook * workbook, int
+ return FREEXL_OK;
+ }
+
++ if (len <= 0)
++ {
++ /* zero length - it's a preasumable crafted file intended to crash FreeXL */
++ return FREEXL_CRAFTED_FILE;
++ }
+ if (!parse_unicode_string
+ (workbook->utf16_converter, len, utf16, p_string, &utf8_string))
+ return FREEXL_INVALID_CHARACTER;
+@@ -3051,6 +3067,11 @@ parse_biff_record (biff_workbook * workb
+ if (swap)
+ swap32 (&offset);
+ len = workbook->record[6];
++ if (len <= 0)
++ {
++ /* zero length - it's a preasumable crafted file intended to crash FreeXL */
++ return FREEXL_CRAFTED_FILE;
++ }
+ if (workbook->biff_version == FREEXL_BIFF_VER_5)
+ {
+ /* BIFF5: codepage text */
+@@ -3210,6 +3231,11 @@ parse_biff_record (biff_workbook * workb
+ get_unicode_params (p_string, swap, &start_offset, &utf16,
+ &extra_skip);
+ p_string += start_offset;
++ if (len <= 0)
++ {
++ /* zero length - it's a preasumable crafted file intended to crash FreeXL */
++ return FREEXL_CRAFTED_FILE;
++ }
+ if (!parse_unicode_string
+ (workbook->utf16_converter, len, utf16, p_string,
+ &utf8_string))
+@@ -3604,6 +3630,11 @@ parse_biff_record (biff_workbook * workb
+ get_unicode_params (p_string, swap, &start_offset, &utf16,
+ &extra_skip);
+ p_string += start_offset;
++ if (len <= 0)
++ {
++ /* zero length - it's a preasumable crafted file intended to crash FreeXL */
++ return FREEXL_CRAFTED_FILE;
++ }
+ if (!parse_unicode_string
+ (workbook->utf16_converter, len, utf16, p_string,
+ &utf8_string))
+@@ -3886,6 +3917,9 @@ read_mini_biff_next_record (biff_workboo
+ workbook->record_type = record_type.value;
+ workbook->record_size = record_size.value;
+
++ if (workbook->record_size >= 8192)
++ return 0; /* malformed or crafted file */
++
+ if ((workbook->p_in - workbook->fat->miniStream) + workbook->record_size >
+ (int) workbook->size)
+ return 0; /* unexpected EOF */
diff -Nru freexl-1.0.2/debian/patches/series freexl-1.0.2/debian/patches/series
--- freexl-1.0.2/debian/patches/series 2017-09-16 23:19:22.000000000 +0200
+++ freexl-1.0.2/debian/patches/series 2018-02-23 10:57:19.000000000 +0100
@@ -1 +1,2 @@
CVE-2017-2923_CVE-2017-2924.patch
+security-fixes-1.0.5.patch
Reply to: