Integer overflow in Calc lcl_getSingleCellAddressFromXMLString nColumn computation

Mike Kaganski mikekaganski at hotmail.com
Tue Feb 23 10:59:53 UTC 2021 

On 23.02.2021 13:08, Stephan Bergmann wrote:
> On 23/02/2021 08:34, Stephan Bergmann wrote:
> Now, 
> <http://docs.oasis-open.org/office/v1.2/os/OpenDocument-v1.2-os-part1.html#__RefHeading__1418304_253892949> 
> "19.593.6<chart:plot-area> (deprecated)" specifies that that attribute 
> shall be of type 
> <http://docs.oasis-open.org/office/v1.2/os/OpenDocument-v1.2-os-part1.html#datatype-cellRangeAddressList> 
> "18.3.6cellRangeAddressList" aka 
> <http://docs.oasis-open.org/office/v1.2/os/OpenDocument-v1.2-os-part1.html#CellRangeAddressList> 
> "9.2.5Cell Range Address List".  Lacking whitespace, "PivotChart" is 
> apparently a list containing a single cell range addresses or cell 
> addresses, and lacking a colon, it apparently is a cell address.
> 
> <http://docs.oasis-open.org/office/v1.2/os/OpenDocument-v1.2-os-part1.html#__RefHeading__1415614_253892949> 
> "Referencing Table Cells" specifies the structure of such a cell address:
> 
>> Cell addresses are constructed as follows:
>>
>>     1)The name of the table.
>>     2)A dot “.” (U+002E, FULL STOP).
>>     3)An alphabetic value representing the column. The letter A 
>> represents column 1, B represents column 2, and so on. AA represents 
>> column 27, AB represents column 28, and so on.
>>     4)A numeric value representing the row. The number 1 represents 
>> the first row, the number 2 represents the second row, and so on.
> 
> But lcl_getCellAddressFromXMLString and 
> lcl_getSingleCellAddressFromXMLString in 
> chart2/source/tools/XMLRangeHelper.cxx apparently attempt to parse 
> something rather different:
> 
> * lcl_getCellAddressFromXMLString supports backslash quoting;
> 
> * lcl_getCellAddressFromXMLString makes the leading table name and dot 
> optional;
> 
> * lcl_getSingleCellAddressFromXMLString supports an optional "$";
> 
> * lcl_getSingleCellAddressFromXMLString supports lower-case letters in 
> addition to upper-case letters for the column;
> 
> * lcl_getSingleCellAddressFromXMLString makes the numeric value 
> representing the row optional.
> 
> I'm still not sure what to make of all that.  Is 
> sc/qa/uitest/data/tdf107097.ods bogus and should be rejected?

The file has served a nice job of covering this possible problem of user 
input, and IMO should stay after the checks are fixed (but I don't have 
a suggestion on which level sanitizing should happen).



-- 
Best regards,
Mike Kaganski

More information about the LibreOffice mailing list