Integer overflow in Calc lcl_getSingleCellAddressFromXMLString nColumn computation

Tue Feb 23 10:08:22 UTC 2021

On 23/02/2021 08:34, Stephan Bergmann wrote:
> I have no idea whether lcl_getSingleCellAddressFromXMLString is 
> legitimately getting called here with those arguments (or if the real 
> error is somewhere else), what that nColumn computation actually means, 
> nor what's going on in general.  If anybody knowledgeable about that 
> code could please have a look.

With a little more digging:  However sc/qa/uitest/data/tdf107097.ods was 
generated, its "Object 1/content.xml" sub-file contains the XML element

> <chart:plot-area chart:style-name="ch3" table:cell-range-address="PivotChart" chart:data-source-has-labels="column" svg:x="0.398cm" svg:y="0.991cm" svg:width="16.013cm" svg:height="9.381cm">

whose table:cell-range-address attribute appears to what gets processed 
here.

Now, 
<http://docs.oasis-open.org/office/v1.2/os/OpenDocument-v1.2-os-part1.html#__RefHeading__1418304_253892949> 
"19.593.6<chart:plot-area> (deprecated)" specifies that that attribute 
shall be of type 
<http://docs.oasis-open.org/office/v1.2/os/OpenDocument-v1.2-os-part1.html#datatype-cellRangeAddressList> 
"18.3.6cellRangeAddressList" aka 
<http://docs.oasis-open.org/office/v1.2/os/OpenDocument-v1.2-os-part1.html#CellRangeAddressList> 
"9.2.5Cell Range Address List".  Lacking whitespace, "PivotChart" is 
apparently a list containing a single cell range addresses or cell 
addresses, and lacking a colon, it apparently is a cell address.

<http://docs.oasis-open.org/office/v1.2/os/OpenDocument-v1.2-os-part1.html#__RefHeading__1415614_253892949> 
"Referencing Table Cells" specifies the structure of such a cell address:

> Cell addresses are constructed as follows:
> 
>     1)The name of the table. 
> 
>     2)A dot “.” (U+002E, FULL STOP). 
> 
>     3)An alphabetic value representing the column. The letter A represents column 1, B represents column 2, and so on. AA represents column 27, AB represents column 28, and so on. 
> 
>     4)A numeric value representing the row. The number 1 represents the first row, the number 2 represents the second row, and so on.

But lcl_getCellAddressFromXMLString and 
lcl_getSingleCellAddressFromXMLString in 
chart2/source/tools/XMLRangeHelper.cxx apparently attempt to parse 
something rather different:

* lcl_getCellAddressFromXMLString supports backslash quoting;

* lcl_getCellAddressFromXMLString makes the leading table name and dot 
optional;

* lcl_getSingleCellAddressFromXMLString supports an optional "$";

* lcl_getSingleCellAddressFromXMLString supports lower-case letters in 
addition to upper-case letters for the column;

* lcl_getSingleCellAddressFromXMLString makes the numeric value 
representing the row optional.

I'm still not sure what to make of all that.  Is 
sc/qa/uitest/data/tdf107097.ods bogus and should be rejected?  Xisco, 
can you please clarify how you created that file?  Should the parsing 
code in chart2/source/tools/XMLRangeHelper.cxx be less lenient and 
reject that "PivotChart" value (or is that parsing code also used in 
situations that ask for parsing another grammar)?