From 13e2efe7240cfc18d25b6dd99bfc5501017e3842 Mon Sep 17 00:00:00 2001
From: Viktor Andreev <viktor.andreev@onlyoffice.com>
Date: Fri, 5 Dec 2025 16:09:45 +0600
Subject: [PATCH] fix bug #78955

(cherry picked from commit 6ea64599bd3125f9cad42fc2ad8ff3413e1bb362)
---
 .../XlsFile/Format/Logic/Biff_records/AutoFilter.cpp     | 9 ++++++++-
 .../Format/Logic/Biff_structures/Feat11FdaAutoFilter.cpp | 2 +-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/MsBinaryFile/XlsFile/Format/Logic/Biff_records/AutoFilter.cpp b/MsBinaryFile/XlsFile/Format/Logic/Biff_records/AutoFilter.cpp
index 6fa427b376..5c2b3b7610 100644
--- a/MsBinaryFile/XlsFile/Format/Logic/Biff_records/AutoFilter.cpp
+++ b/MsBinaryFile/XlsFile/Format/Logic/Biff_records/AutoFilter.cpp
@@ -72,7 +72,14 @@ void AutoFilter::readFields(CFRecord& record)
 {
 	size_t pos_record = record.getRdPtr();
 
-	if (size == 0xffffffff) size = record.getDataSize() - pos_record;
+
+	if (size == 0xffffffff)
+		size = record.getDataSize() - pos_record;
+	else if(record.getDataSize() < pos_record + size)
+	{
+		//size error
+		return;
+	}
 
 	if (size > 0)
 	{
diff --git a/MsBinaryFile/XlsFile/Format/Logic/Biff_structures/Feat11FdaAutoFilter.cpp b/MsBinaryFile/XlsFile/Format/Logic/Biff_structures/Feat11FdaAutoFilter.cpp
index 4f56ec0e1e..b19f624915 100644
--- a/MsBinaryFile/XlsFile/Format/Logic/Biff_structures/Feat11FdaAutoFilter.cpp
+++ b/MsBinaryFile/XlsFile/Format/Logic/Biff_structures/Feat11FdaAutoFilter.cpp
@@ -53,7 +53,7 @@ void Feat11FdaAutoFilter::load(CFRecord& record)
 	}
 	record.skipNunBytes(2);	
 
-	if (cbAutoFilter > 0 && cbAutoFilter < 2080)
+	if (cbAutoFilter > 0 && cbAutoFilter < 2080 && (record.getDataSize() - record.getRdPtr()) >=  cbAutoFilter)
 	{
 		recAutoFilter.size = cbAutoFilter;
 		recAutoFilter.readFields(record);