From 7ef080464392dec95a2f35a367eef96fb78720c2 Mon Sep 17 00:00:00 2001
From: Liu Jinchang <liujinchang@uniontech.com>
Date: Tue, 5 Aug 2025 16:52:56 +0800
Subject: [PATCH] fix: enhance error handling in formula evaluation

- Added boundary checks to ensure valid memory access when evaluating target names, preventing access to invalid indices in the name object list.
- Introduced default error text handling for unknown error codes to enhance robustness and user feedback.

Log: enhance error handling in formula evaluation
Bug: https://pms.uniontech.com/bug-view-327367.html
---
 3rdparty/libs/fileext/excel/formula.cpp | 40 +++++++++++++++----------
 1 file changed, 24 insertions(+), 16 deletions(-)

diff --git a/3rdparty/libs/fileext/excel/formula.cpp b/3rdparty/libs/fileext/excel/formula.cpp
index 61d49e6..5af0b49 100644
--- a/3rdparty/libs/fileext/excel/formula.cpp
+++ b/3rdparty/libs/fileext/excel/formula.cpp
@@ -743,26 +743,34 @@ void Formula::evaluateFormula(Name& name, int nameIndex, int level) {
             // tName
             else if (opCode == 0x03) {
                 unsigned short targetNameIndex = m_book->readByte<unsigned short>(data, pos+1, 2) - 1;
-                // Only change with BIFF version is number of trailing UNUSED bytes!
-                Name& targetName = m_book->m_nameObjList[targetNameIndex];
-                // Recursive
-                if (!targetName.m_evaluated)
-                    evaluateFormula(targetName, targetNameIndex, level+1);
 
-                Operand res(oUNK);
-                if (!targetName.m_stack.empty() && !(targetName.m_macro || targetName.m_isBinary || targetName.m_hasError))
-                    res = targetName.m_stack[0];
-                res.m_rank = LEAF_RANK;
-
-                if (targetName.m_scope == -1) {
-                    res.m_text  = targetName.m_name;
-                    hasError    = (hasError || targetName.m_macro || targetName.m_isBinary || targetName.m_hasError);
-                    hasRelation = (hasRelation || targetName.m_hasRelation);
+                // 添加边界检查，防止访问无效内存
+                if (targetNameIndex >= m_book->m_nameObjList.size()) {
+                    hasError = true;
+                    stack.push_back(errorOp);
                 }
                 else {
-                    res.m_text = m_book->m_sheetNames[targetName.m_scope] + "%s!" + targetName.m_name;
+                    // Only change with BIFF version is number of trailing UNUSED bytes!
+                    Name& targetName = m_book->m_nameObjList[targetNameIndex];
+                    // Recursive
+                    if (!targetName.m_evaluated)
+                        evaluateFormula(targetName, targetNameIndex, level+1);
+
+                    Operand res(oUNK);
+                    if (!targetName.m_stack.empty() && !(targetName.m_macro || targetName.m_isBinary || targetName.m_hasError))
+                        res = targetName.m_stack[0];
+                    res.m_rank = LEAF_RANK;
+
+                    if (targetName.m_scope == -1) {
+                        res.m_text  = targetName.m_name;
+                        hasError    = (hasError || targetName.m_macro || targetName.m_isBinary || targetName.m_hasError);
+                        hasRelation = (hasRelation || targetName.m_hasRelation);
+                    }
+                    else {
+                        res.m_text = m_book->m_sheetNames[targetName.m_scope] + "%s!" + targetName.m_name;
+                    }
+                    stack.push_back(res);
                 }
-                stack.push_back(res);
             }
             // tRef
             else if (opCode == 0x04) {