freexl -- integer overflow

ID A59E263A-45CD-11E5-ADDE-14DAE9D210B8
Type freebsd
Reporter FreeBSD
Modified 2015-07-06T00:00:00


Stefan Cornelius reports:

There's an integer overflow in the allocate_cells() function when trying to allocate the memory for worksheet with specially crafted row/column dimensions. This can be exploited to cause a heap memory corruption. The most likely outcome of this is a crash when trying to initialize the cells later in the function.