Re: Integer overflow in Calc lcl_getSingleCellAddressFromXMLString nColumn computation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 23.02.2021 13:08, Stephan Bergmann wrote:
On 23/02/2021 08:34, Stephan Bergmann wrote:
Now, <http://docs.oasis-open.org/office/v1.2/os/OpenDocument-v1.2-os-part1.html#__RefHeading__1418304_253892949> "19.593.6<chart:plot-area> (deprecated)" specifies that that attribute shall be of type <http://docs.oasis-open.org/office/v1.2/os/OpenDocument-v1.2-os-part1.html#datatype-cellRangeAddressList> "18.3.6cellRangeAddressList" aka <http://docs.oasis-open.org/office/v1.2/os/OpenDocument-v1.2-os-part1.html#CellRangeAddressList> "9.2.5Cell Range Address List".  Lacking whitespace, "PivotChart" is apparently a list containing a single cell range addresses or cell addresses, and lacking a colon, it apparently is a cell address.

<http://docs.oasis-open.org/office/v1.2/os/OpenDocument-v1.2-os-part1.html#__RefHeading__1415614_253892949> "Referencing Table Cells" specifies the structure of such a cell address:

Cell addresses are constructed as follows:

    1)The name of the table.
    2)A dot “.” (U+002E, FULL STOP).
    3)An alphabetic value representing the column. The letter A represents column 1, B represents column 2, and so on. AA represents column 27, AB represents column 28, and so on.     4)A numeric value representing the row. The number 1 represents the first row, the number 2 represents the second row, and so on.

But lcl_getCellAddressFromXMLString and lcl_getSingleCellAddressFromXMLString in chart2/source/tools/XMLRangeHelper.cxx apparently attempt to parse something rather different:

* lcl_getCellAddressFromXMLString supports backslash quoting;

* lcl_getCellAddressFromXMLString makes the leading table name and dot optional;

* lcl_getSingleCellAddressFromXMLString supports an optional "$";

* lcl_getSingleCellAddressFromXMLString supports lower-case letters in addition to upper-case letters for the column;

* lcl_getSingleCellAddressFromXMLString makes the numeric value representing the row optional.

I'm still not sure what to make of all that.  Is sc/qa/uitest/data/tdf107097.ods bogus and should be rejected?

The file has served a nice job of covering this possible problem of user input, and IMO should stay after the checks are fixed (but I don't have a suggestion on which level sanitizing should happen).



--
Best regards,
Mike Kaganski
_______________________________________________
LibreOffice mailing list
LibreOffice@xxxxxxxxxxxxxxxxxxxxx
https://lists.freedesktop.org/mailman/listinfo/libreoffice




[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux