Integer overflow in Calc lcl_getSingleCellAddressFromXMLString nColumn computation
mikekaganski at hotmail.com
Tue Feb 23 10:59:53 UTC 2021
On 23.02.2021 13:08, Stephan Bergmann wrote:
> On 23/02/2021 08:34, Stephan Bergmann wrote:
> "19.593.6<chart:plot-area> (deprecated)" specifies that that attribute
> shall be of type
> "18.3.6cellRangeAddressList" aka
> "9.2.5Cell Range Address List". Lacking whitespace, "PivotChart" is
> apparently a list containing a single cell range addresses or cell
> addresses, and lacking a colon, it apparently is a cell address.
> "Referencing Table Cells" specifies the structure of such a cell address:
>> Cell addresses are constructed as follows:
>> 1)The name of the table.
>> 2)A dot “.” (U+002E, FULL STOP).
>> 3)An alphabetic value representing the column. The letter A
>> represents column 1, B represents column 2, and so on. AA represents
>> column 27, AB represents column 28, and so on.
>> 4)A numeric value representing the row. The number 1 represents
>> the first row, the number 2 represents the second row, and so on.
> But lcl_getCellAddressFromXMLString and
> lcl_getSingleCellAddressFromXMLString in
> chart2/source/tools/XMLRangeHelper.cxx apparently attempt to parse
> something rather different:
> * lcl_getCellAddressFromXMLString supports backslash quoting;
> * lcl_getCellAddressFromXMLString makes the leading table name and dot
> * lcl_getSingleCellAddressFromXMLString supports an optional "$";
> * lcl_getSingleCellAddressFromXMLString supports lower-case letters in
> addition to upper-case letters for the column;
> * lcl_getSingleCellAddressFromXMLString makes the numeric value
> representing the row optional.
> I'm still not sure what to make of all that. Is
> sc/qa/uitest/data/tdf107097.ods bogus and should be rejected?
The file has served a nice job of covering this possible problem of user
input, and IMO should stay after the checks are fixed (but I don't have
a suggestion on which level sanitizing should happen).
More information about the LibreOffice