Hello community, here is the log from the commit of package freexl for openSUSE:Factory checked in at 2017-09-13 22:37:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/freexl (Old) and /work/SRC/openSUSE:Factory/.freexl.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "freexl" Wed Sep 13 22:37:30 2017 rev:6 rq:524234 version:1.0.4 Changes: -------- --- /work/SRC/openSUSE:Factory/freexl/freexl.changes 2016-07-01 09:59:48.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.freexl.new/freexl.changes 2017-09-13 22:37:42.381342107 +0200 @@ -1,0 +2,9 @@ +Wed Sep 13 08:12:07 UTC 2017 - mplus...@suse.com + +- Update to version 1.0.4: + * No chagelog provided by upstream + * CVE-2017-2924 (boo#1058433) from 1.0.3 is fixed + * CVE-2017-2923 (boo#1058431) from 1.0.3 is fixed +- Small packaging cleanup + +------------------------------------------------------------------- Old: ---- freexl-1.0.2.tar.gz New: ---- freexl-1.0.4.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ freexl.spec ++++++ --- /var/tmp/diff_new_pack.QCdMeq/_old 2017-09-13 22:37:45.064964259 +0200 +++ /var/tmp/diff_new_pack.QCdMeq/_new 2017-09-13 22:37:45.068963696 +0200 @@ -1,7 +1,7 @@ # # spec file for package freexl # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -16,19 +16,19 @@ # -%define libname lib%{name}1 +%define sover 1 +%define libname lib%{name}%{sover} Name: freexl -Version: 1.0.2 +Version: 1.0.4 Release: 0 Summary: Library to extract valid data from within an Excel -License: MPL-1.1 or GPL-2.0+ or LGPL-2.1+ +License: MPL-1.1 OR GPL-2.0+ OR LGPL-2.1+ Group: Development/Libraries/C and C++ Url: https://www.gaia-gis.it/fossil/freexl/index Source: http://www.gaia-gis.it/gaia-sins/%{name}-%{version}.tar.gz BuildRequires: fdupes BuildRequires: gcc-c++ BuildRequires: pkgconfig -BuildRoot: %{_tmppath}/%{name}-%{version}-build %description FreeXL is an open source library to extract valid data from within an Excel @@ -65,19 +65,17 @@ make check %{?_smp_mflags} %install -make %{?_smp_mflags} DESTDIR=%{buildroot} install +%make_install find %{buildroot} -type f -name "*.la" -delete -print %post -n %{libname} -p /sbin/ldconfig %postun -n %{libname} -p /sbin/ldconfig %files -n lib%{name}1 -%defattr(-,root,root,-) %doc AUTHORS COPYING README -%{_libdir}/libfreexl.so.* +%{_libdir}/libfreexl.so.%{sover}* %files devel -%defattr(-,root,root,-) %doc AUTHORS COPYING README %{_includedir}/freexl.h %{_libdir}/libfreexl.so ++++++ freexl-1.0.2.tar.gz -> freexl-1.0.4.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/freexl-1.0.2/Makefile.in new/freexl-1.0.4/Makefile.in --- old/freexl-1.0.2/Makefile.in 2015-07-14 09:45:23.000000000 +0200 +++ new/freexl-1.0.4/Makefile.in 2017-09-07 22:07:02.000000000 +0200 @@ -624,7 +624,7 @@ ! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \ || chmod -R a+r "$(distdir)" dist-gzip: distdir - tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz + tardir=$(distdir) && $(am__tar) | eval GZIP= gzip $(GZIP_ENV) -c >$(distdir).tar.gz $(am__post_remove_distdir) dist-bzip2: distdir @@ -650,7 +650,7 @@ @echo WARNING: "Support for shar distribution archives is" \ "deprecated." >&2 @echo WARNING: "It will be removed altogether in Automake 2.0" >&2 - shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz + shar $(distdir) | eval GZIP= gzip $(GZIP_ENV) -c >$(distdir).shar.gz $(am__post_remove_distdir) dist-zip: distdir -rm -f $(distdir).zip @@ -667,7 +667,7 @@ distcheck: dist case '$(DIST_ARCHIVES)' in \ *.tar.gz*) \ - GZIP=$(GZIP_ENV) gzip -dc $(distdir).tar.gz | $(am__untar) ;;\ + eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).tar.gz | $(am__untar) ;;\ *.tar.bz2*) \ bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\ *.tar.lz*) \ @@ -677,7 +677,7 @@ *.tar.Z*) \ uncompress -c $(distdir).tar.Z | $(am__untar) ;;\ *.shar.gz*) \ - GZIP=$(GZIP_ENV) gzip -dc $(distdir).shar.gz | unshar ;;\ + eval GZIP= gzip $(GZIP_ENV) -dc $(distdir).shar.gz | unshar ;;\ *.zip*) \ unzip $(distdir).zip ;;\ esac diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/freexl-1.0.2/config-msvc.h new/freexl-1.0.4/config-msvc.h --- old/freexl-1.0.2/config-msvc.h 2015-07-14 09:45:23.000000000 +0200 +++ new/freexl-1.0.4/config-msvc.h 2017-09-07 22:07:02.000000000 +0200 @@ -86,7 +86,7 @@ #define PACKAGE_NAME "FreeXL" /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "FreeXL 1.0.1" +#define PACKAGE_STRING "FreeXL 1.0.4" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "freexl" @@ -95,7 +95,7 @@ #define PACKAGE_URL "" /* Define to the version of this package. */ -#define PACKAGE_VERSION "1.0.0e" +#define PACKAGE_VERSION "1.0.4" /* Define to 1 if you have the ANSI C header files. */ #define STDC_HEADERS 1 @@ -107,7 +107,7 @@ /* #undef TM_IN_SYS_TIME */ /* Version number of package */ -#define VERSION "1.0.1" +#define VERSION "1.0.4" /* Define to empty if `const' does not conform to ANSI C. */ /* #undef const */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/freexl-1.0.2/configure new/freexl-1.0.4/configure --- old/freexl-1.0.2/configure 2015-07-14 09:45:23.000000000 +0200 +++ new/freexl-1.0.4/configure 2017-09-07 22:07:02.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for FreeXL 1.0.2. +# Generated by GNU Autoconf 2.69 for FreeXL 1.0.4. # # Report bugs to <a.furi...@lqt.it>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='FreeXL' PACKAGE_TARNAME='freexl' -PACKAGE_VERSION='1.0.2' -PACKAGE_STRING='FreeXL 1.0.2' +PACKAGE_VERSION='1.0.4' +PACKAGE_STRING='FreeXL 1.0.4' PACKAGE_BUGREPORT='a.furi...@lqt.it' PACKAGE_URL='' @@ -1326,7 +1326,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures FreeXL 1.0.2 to adapt to many kinds of systems. +\`configure' configures FreeXL 1.0.4 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1396,7 +1396,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of FreeXL 1.0.2:";; + short | recursive ) echo "Configuration of FreeXL 1.0.4:";; esac cat <<\_ACEOF @@ -1508,7 +1508,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -FreeXL configure 1.0.2 +FreeXL configure 1.0.4 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2052,7 +2052,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by FreeXL $as_me 1.0.2, which was +It was created by FreeXL $as_me 1.0.4, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2923,7 +2923,7 @@ # Define the identity of the package. PACKAGE='freexl' - VERSION='1.0.2' + VERSION='1.0.4' cat >>confdefs.h <<_ACEOF @@ -17813,7 +17813,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by FreeXL $as_me 1.0.2, which was +This file was extended by FreeXL $as_me 1.0.4, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -17879,7 +17879,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -FreeXL config.status 1.0.2 +FreeXL config.status 1.0.4 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/freexl-1.0.2/configure.ac new/freexl-1.0.4/configure.ac --- old/freexl-1.0.2/configure.ac 2015-07-14 09:45:23.000000000 +0200 +++ new/freexl-1.0.4/configure.ac 2017-09-07 22:07:02.000000000 +0200 @@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ(2.61) -AC_INIT(FreeXL, 1.0.2, a.furi...@lqt.it) +AC_INIT(FreeXL, 1.0.4, a.furi...@lqt.it) AC_LANG(C) AC_CONFIG_AUX_DIR([.]) AC_CONFIG_MACRO_DIR([m4]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/freexl-1.0.2/headers/freexl_internals.h new/freexl-1.0.4/headers/freexl_internals.h --- old/freexl-1.0.2/headers/freexl_internals.h 2015-07-14 09:45:23.000000000 +0200 +++ new/freexl-1.0.4/headers/freexl_internals.h 2017-09-07 22:07:02.000000000 +0200 @@ -171,6 +171,7 @@ unsigned int current_utf16_len; /* current UTF-16 length */ unsigned int current_utf16_off; /* current UTF-16 offset */ unsigned int current_utf16_skip; /* bytes to be skipped after the current string */ + unsigned int next_utf16_skip; /* remaining bytes to be skipped in the next record */ } biff_string_table; typedef struct biff_cell_value_struct diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/freexl-1.0.2/src/freexl.c new/freexl-1.0.4/src/freexl.c --- old/freexl-1.0.2/src/freexl.c 2015-07-14 09:45:23.000000000 +0200 +++ new/freexl-1.0.4/src/freexl.c 2017-09-07 22:07:02.000000000 +0200 @@ -339,15 +339,7 @@ *real_utf16 = 1; else *real_utf16 = 0; - if ((mask & 0x04) == 0x04) - { - /* optional field: 32-bits */ - memcpy (word32.bytes, p_string, 2); - if (swap) - swap32 (&word32); - skip_1 = word32.value; - p_string += 4; - } + if ((mask & 0x08) == 0x08) { /* optional field 16-bits */ @@ -357,6 +349,15 @@ skip_2 = word16.value; p_string += 2; } + if ((mask & 0x04) == 0x04) + { + /* optional field: 32-bits */ + memcpy (word32.bytes, p_string, 4); + if (swap) + swap32 (&word32); + skip_1 = word32.value; + p_string += 4; + } *start_offset = p_string - addr; *extra_skip = skip_1 + (skip_2 * 4); } @@ -951,6 +952,21 @@ return FREEXL_OK; } +static size_t +xls_fread (size_t bufsz, void *buf, size_t size, size_t nmemb, FILE * fl) +{ +/* +/ Sandro 2017-09-07 +/ secure version of "fread" checking against buffer overflows +/--------------------------- +/ expected to fix the issue reported by +/ Cisco [TALOS-2017-431] +*/ + if ((size * nmemb) > bufsz) + return 0; + return fread (buf, size, nmemb, fl); +} + static fat_chain * alloc_fat_chain (int swap, unsigned short sector_shift, unsigned int directory_start) @@ -1228,6 +1244,7 @@ workbook->shared_strings.current_utf16_len = 0; workbook->shared_strings.current_utf16_off = 0; workbook->shared_strings.current_utf16_skip = 0; + workbook->shared_strings.next_utf16_skip = 0; workbook->first_sheet = NULL; workbook->last_sheet = NULL; workbook->active_sheet = NULL; @@ -1393,7 +1410,8 @@ max_fat = 128; /* reading a FAT sector */ - if (fread (buf, 1, chain->sector_size, xls) != chain->sector_size) + if (xls_fread (sizeof (buf), buf, 1, chain->sector_size, xls) != + chain->sector_size) return FREEXL_CFBF_READ_ERROR; for (i_fat = 0; i_fat < max_fat; i_fat++) @@ -1435,7 +1453,8 @@ if (fseek (xls, where, SEEK_SET) != 0) return FREEXL_CFBF_SEEK_ERROR; /* reading a DIFAT sector */ - if (fread (&difat, 1, chain->sector_size, xls) != chain->sector_size) + if (xls_fread (sizeof (difat), &difat, 1, chain->sector_size, xls) != + chain->sector_size) return FREEXL_CFBF_READ_ERROR; blocks++; if (chain->swap) @@ -1496,7 +1515,8 @@ unsigned char *p_buf = buf; block++; /* reading a miniFAT sector */ - if (fread (&buf, 1, chain->sector_size, xls) != chain->sector_size) + if (xls_fread (sizeof (buf), &buf, 1, chain->sector_size, xls) != + chain->sector_size) return FREEXL_CFBF_READ_ERROR; for (i_fat = 0; i_fat < max_fat; i_fat++) { @@ -1524,7 +1544,7 @@ int ret; unsigned char *p_fat = header.fat_sector_map; - if (fread (&header, 1, 512, workbook->xls) != 512) + if (xls_fread (sizeof (header), &header, 1, 512, workbook->xls) != 512) { *err_code = FREEXL_CFBF_READ_ERROR; return NULL; @@ -1670,8 +1690,9 @@ *errcode = FREEXL_CFBF_SEEK_ERROR; return 0; } - if (fread (buf, 1, workbook->fat->sector_size, workbook->xls) != - workbook->fat->sector_size) + if (xls_fread + (sizeof (buf), buf, 1, workbook->fat->sector_size, + workbook->xls) != workbook->fat->sector_size) { *errcode = FREEXL_CFBF_READ_ERROR; return 0; @@ -1758,6 +1779,7 @@ unsigned int len; int utf16 = 0; int err; + unsigned int next_skip; unsigned int utf16_len = workbook->shared_strings.current_utf16_len; unsigned int utf16_off = workbook->shared_strings.current_utf16_off; unsigned int utf16_skip = workbook->shared_strings.current_utf16_skip; @@ -1795,6 +1817,11 @@ /* skipping extra data (if any) */ p_string += utf16_skip; + if (p_string - workbook->record >= workbook->record_size) + next_skip = + (p_string - workbook->record) - workbook->record_size; + else + next_skip = 0; /* converting text to UTF-8 */ utf8_string = @@ -1808,7 +1835,8 @@ workbook->shared_strings.current_utf16_buf = NULL; workbook->shared_strings.current_utf16_len = 0; workbook->shared_strings.current_utf16_off = 0; - workbook->shared_strings.current_utf16_skip = 0; + workbook->shared_strings.current_utf16_skip = next_skip; + workbook->shared_strings.next_utf16_skip = 0; workbook->shared_strings.current_index += 1; } } @@ -1823,6 +1851,7 @@ biff_word16 word16; unsigned int start_offset; unsigned int extra_skip; + unsigned int next_skip; if ((unsigned int) (p_string - workbook->record) >= workbook->record_size) @@ -1831,6 +1860,9 @@ return FREEXL_OK; } + /* skipping extra bytes belonging to the previous record */ + p_string += workbook->shared_strings.next_utf16_skip; + memcpy (word16.bytes, p_string, 2); if (swap) swap16 (&word16); @@ -1843,6 +1875,7 @@ /* initializing the current UTF-16 variables */ workbook->shared_strings.current_utf16_skip = extra_skip; + workbook->shared_strings.next_utf16_skip = 0; workbook->shared_strings.current_utf16_off = 0; workbook->shared_strings.current_utf16_len = len; workbook->shared_strings.current_utf16_buf = @@ -1890,6 +1923,10 @@ p_string += len * 2; /* skipping extra data (if any) */ p_string += workbook->shared_strings.current_utf16_skip; + if (p_string - workbook->record >= workbook->record_size) + next_skip = (p_string - workbook->record) - workbook->record_size; + else + next_skip = 0; *(workbook->shared_strings.utf8_strings + i_string) = utf8_string; free (workbook->shared_strings.current_utf16_buf); @@ -1897,6 +1934,7 @@ workbook->shared_strings.current_utf16_len = 0; workbook->shared_strings.current_utf16_off = 0; workbook->shared_strings.current_utf16_skip = 0; + workbook->shared_strings.next_utf16_skip = next_skip; workbook->shared_strings.current_index = i_string + 1; } @@ -2003,7 +2041,7 @@ /* looping on BIFF records */ if (!first) { - if (fread (&buf, 1, 4, workbook->xls) != 4) + if (xls_fread (sizeof (buf), &buf, 1, 4, workbook->xls) != 4) return 0; memcpy (record_type.bytes, buf, 2); memcpy (record_size.bytes, buf + 2, 2); @@ -2029,9 +2067,9 @@ /* INTEGER marker found */ biff_word16 word16; - if (fread - (workbook->record, 1, record_size.value, - workbook->xls) != record_size.value) + if (xls_fread + (sizeof (workbook->record), workbook->record, 1, + record_size.value, workbook->xls) != record_size.value) return 0; memcpy (word16.bytes, workbook->record, 2); @@ -2056,9 +2094,9 @@ /* NUMBER marker found */ biff_word16 word16; - if (fread - (workbook->record, 1, record_size.value, - workbook->xls) != record_size.value) + if (xls_fread + (sizeof (workbook->record), workbook->record, 1, + record_size.value, workbook->xls) != record_size.value) return 0; memcpy (word16.bytes, workbook->record, 2); @@ -2083,9 +2121,9 @@ /* BOOLERR marker found */ biff_word16 word16; - if (fread - (workbook->record, 1, record_size.value, - workbook->xls) != record_size.value) + if (xls_fread + (sizeof (workbook->record), workbook->record, 1, + record_size.value, workbook->xls) != record_size.value) return 0; memcpy (word16.bytes, workbook->record, 2); @@ -2108,9 +2146,9 @@ /* RK marker found */ biff_word16 word16; - if (fread - (workbook->record, 1, record_size.value, - workbook->xls) != record_size.value) + if (xls_fread + (sizeof (workbook->record), workbook->record, 1, + record_size.value, workbook->xls) != record_size.value) return 0; memcpy (word16.bytes, workbook->record, 2); @@ -2135,9 +2173,9 @@ /* LABEL marker found */ biff_word16 word16; - if (fread - (workbook->record, 1, record_size.value, - workbook->xls) != record_size.value) + if (xls_fread + (sizeof (workbook->record), workbook->record, 1, + record_size.value, workbook->xls) != record_size.value) return 0; memcpy (word16.bytes, workbook->record, 2); @@ -2214,7 +2252,7 @@ /* attempting to get the main BOF */ rewind (workbook->xls); - if (fread (&buf, 1, 4, workbook->xls) != 4) + if (xls_fread (sizeof (buf), &buf, 1, 4, workbook->xls) != 4) return 0; memcpy (record_type.bytes, buf, 2); memcpy (record_size.bytes, buf + 2, 2); @@ -2250,7 +2288,7 @@ { /* looping on BIFF records */ - if (fread (&buf, 1, 4, workbook->xls) != 4) + if (xls_fread (sizeof (buf), &buf, 1, 4, workbook->xls) != 4) return 0; memcpy (record_type.bytes, buf, 2); memcpy (record_size.bytes, buf + 2, 2); @@ -2263,7 +2301,7 @@ if (record_type.value == BIFF_SHEETSOFFSET) { -/* unsupported BIFF4W format */ + /* unsupported BIFF4W format */ return 0; } @@ -2276,9 +2314,9 @@ if (record_type.value == BIFF_CODEPAGE) { /* CODEPAGE marker found */ - if (fread - (workbook->record, 1, record_size.value, - workbook->xls) != record_size.value) + if (xls_fread + (sizeof (workbook->record), workbook->record, 1, + record_size.value, workbook->xls) != record_size.value) return 0; memcpy (word16.bytes, workbook->record, 2); if (swap) @@ -2294,9 +2332,9 @@ if (record_type.value == BIFF_DATEMODE) { /* DATEMODE marker found */ - if (fread - (workbook->record, 1, record_size.value, - workbook->xls) != record_size.value) + if (xls_fread + (sizeof (workbook->record), workbook->record, 1, + record_size.value, workbook->xls) != record_size.value) return 0; memcpy (word16.bytes, workbook->record, 2); if (swap) @@ -2328,9 +2366,9 @@ int is_date = 0; int is_datetime = 0; int is_time = 0; - if (fread - (workbook->record, 1, record_size.value, - workbook->xls) != record_size.value) + if (xls_fread + (sizeof (workbook->record), workbook->record, 1, + record_size.value, workbook->xls) != record_size.value) return 0; if (workbook->biff_version == FREEXL_BIFF_VER_2 @@ -2395,10 +2433,10 @@ { /* XF [Extended Format] marker found */ unsigned char format; - unsigned short s_format; - if (fread - (workbook->record, 1, record_size.value, - workbook->xls) != record_size.value) + unsigned short s_format = 0; + if (xls_fread + (sizeof (workbook->record), workbook->record, 1, + record_size.value, workbook->xls) != record_size.value) return 0; switch (workbook->biff_version) { @@ -2428,9 +2466,9 @@ unsigned int rows; unsigned short columns; char *utf8_name; - if (fread - (workbook->record, 1, record_size.value, - workbook->xls) != record_size.value) + if (xls_fread + (sizeof (workbook->record), workbook->record, 1, + record_size.value, workbook->xls) != record_size.value) return 0; memcpy (word16.bytes, workbook->record + 2, 2); @@ -2478,9 +2516,9 @@ (workbook, swap, record_type.value, record_size.value)) return 0; - if (fread - (workbook->record, 1, record_size.value, - workbook->xls) != record_size.value) + if (xls_fread + (sizeof (workbook->record), workbook->record, 1, + record_size.value, workbook->xls) != record_size.value) return 0; memcpy (word16.bytes, workbook->record, 2); @@ -2546,9 +2584,9 @@ (workbook, swap, record_type.value, record_size.value)) return 0; - if (fread - (workbook->record, 1, record_size.value, - workbook->xls) != record_size.value) + if (xls_fread + (sizeof (workbook->record), workbook->record, 1, + record_size.value, workbook->xls) != record_size.value) return 0; memcpy (word16.bytes, workbook->record, 2); @@ -2625,9 +2663,9 @@ (workbook, swap, record_type.value, record_size.value)) return 0; - if (fread - (workbook->record, 1, record_size.value, - workbook->xls) != record_size.value) + if (xls_fread + (sizeof (workbook->record), workbook->record, 1, + record_size.value, workbook->xls) != record_size.value) return 0; memcpy (word16.bytes, workbook->record, 2); @@ -2678,9 +2716,9 @@ (workbook, swap, record_type.value, record_size.value)) return 0; - if (fread - (workbook->record, 1, record_size.value, - workbook->xls) != record_size.value) + if (xls_fread + (sizeof (workbook->record), workbook->record, 1, + record_size.value, workbook->xls) != record_size.value) return 0; memcpy (word16.bytes, workbook->record, 2); @@ -2779,9 +2817,9 @@ (workbook, swap, record_type.value, record_size.value)) return 0; - if (fread - (workbook->record, 1, record_size.value, - workbook->xls) != record_size.value) + if (xls_fread + (sizeof (workbook->record), workbook->record, 1, + record_size.value, workbook->xls) != record_size.value) return 0; memcpy (word16.bytes, workbook->record, 2); @@ -3209,7 +3247,7 @@ || workbook->biff_version == FREEXL_BIFF_VER_8)) { /* XF [Extended Format] marker found */ - unsigned short s_format; + unsigned short s_format = 0; biff_word16 word16; if (workbook->second_pass) return FREEXL_OK; @@ -3646,8 +3684,9 @@ long where = (workbook->current_sector + 1) * workbook->fat->sector_size; if (fseek (workbook->xls, where, SEEK_SET) != 0) return FREEXL_CFBF_SEEK_ERROR; - if (fread (buf, 1, workbook->fat->sector_size, workbook->xls) != - workbook->fat->sector_size) + if (xls_fread + (sizeof (biff_workbook), buf, 1, workbook->fat->sector_size, + workbook->xls) != workbook->fat->sector_size) return FREEXL_CFBF_READ_ERROR; return FREEXL_OK; } @@ -3769,6 +3808,14 @@ if (record_type.value == 0x0000 && record_size.value == 0) return -1; +/* +/ Sandro 2017-09-07 +/ fixing a security issue reported by +/ Cisco [TALOS-2017-430] +*/ + if (record_size.value > sizeof (workbook->record)) + return -1; + /* saving the current record */ workbook->record_type = record_type.value; workbook->record_size = record_size.value; @@ -3948,8 +3995,9 @@ if (fseek (workbook->xls, where, SEEK_SET) != 0) return FREEXL_CFBF_SEEK_ERROR; /* reading a FAT Directory block [sector] */ - if (fread (dir_block, 1, workbook->fat->sector_size, workbook->xls) != - workbook->fat->sector_size) + if (xls_fread + (sizeof (dir_block), dir_block, 1, workbook->fat->sector_size, + workbook->xls) != workbook->fat->sector_size) return FREEXL_CFBF_READ_ERROR; workbook_start = 0xFFFFFFFF; for (i_entry = 0; i_entry < max_entries; i_entry++)