[goffice] Don't crash when loading a corrupted chart. [#626206, #626263]

From: Jean Bréfort <jbrefort src gnome org>
To: commits-list gnome org
Cc:
Subject: [goffice] Don't crash when loading a corrupted chart. [#626206, #626263]
Date: Sat, 7 Aug 2010 07:38:34 +0000 (UTC)
commit 3769d287afed06b94cbe7636a586906a66f22d63
Author: Jean Brefort <jean brefort normalesup org>
Date:   Sat Aug 7 09:39:20 2010 +0200

    Don't crash when loading a corrupted chart. [#626206, #626263]

 ChangeLog                        |    9 +++++++++
 NEWS                             |    3 +++
 goffice/graph/gog-data-set.c     |    6 ++++++
 goffice/graph/gog-object-xml.c   |   19 +++++++++++++++++--
 goffice/utils/go-styled-object.c |    1 +
 5 files changed, 36 insertions(+), 2 deletions(-)
---
diff --git a/ChangeLog b/ChangeLog
index bb472e5..0feed1c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2010-08-07  Jean Brefort  <jean brefort normalesup org>
+
+	* goffice/graph/gog-data-set.c (gog_dataset_set_dim): check dimension.
+	* goffice/graph/gog-object-xml.c (gogo_dim_start):  check dimension and
+	object type [#626263],
+	(gogo_prop_start): check dimension [#626206].
+	* goffice/utils/go-styled-object.c (go_styled_object_set_style): don't set
+	a NULL style.
+
 2010-07-30  Morten Welinder <terra gnome org>
 
 	* configure.in: Post-release bump.
diff --git a/NEWS b/NEWS
index 1c81642..9aede36 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,8 @@
 goffice 0.8.9:
 
+Jean:
+	* Don't crash when loading a corrupted chart. [#626206, #626263]
+
 --------------------------------------------------------------------------
 goffice 0.8.8:
 
diff --git a/goffice/graph/gog-data-set.c b/goffice/graph/gog-data-set.c
index 1a52647..47f0820 100644
--- a/goffice/graph/gog-data-set.c
+++ b/goffice/graph/gog-data-set.c
@@ -91,6 +91,7 @@ void
 gog_dataset_set_dim (GogDataset *set, int dim_i, GOData *val, GError **err)
 {
 	GogDatasetClass *klass;
+	int first, last;
 
 	g_return_if_fail (val == NULL || GO_IS_DATA (val));
 
@@ -99,6 +100,11 @@ gog_dataset_set_dim (GogDataset *set, int dim_i, GOData *val, GError **err)
 		goto done;
 	}
 
+	gog_dataset_dims (set, &first, &last);
+	if (dim_i < first || dim_i > last) {
+		g_warning ("gog_dataset_set_dim called with invalid index (%d)", dim_i);
+		goto done;
+	}
 	klass = GOG_DATASET_GET_CLASS (set);
 
 	/* short circuit */
diff --git a/goffice/graph/gog-object-xml.c b/goffice/graph/gog-object-xml.c
index 7b91025..9379110 100644
--- a/goffice/graph/gog-object-xml.c
+++ b/goffice/graph/gog-object-xml.c
@@ -348,7 +348,7 @@ typedef struct {
 	GParamSpec	*prop_spec;
 	gboolean	 prop_pushed_obj;
 	GOData		*dimension;
-	unsigned	 dimension_id;
+	int		 dimension_id;
 
 	GogObjectSaxHandler handler;
 	gpointer user_data;
@@ -367,6 +367,7 @@ gogo_dim_start (GsfXMLIn *xin, xmlChar const **attrs)
 	GogXMLReadState *state = (GogXMLReadState *)xin->user_state;
 	xmlChar const *dim_str = NULL, *type_str = NULL;
 	GType type;
+	int first, last;
 
 	if (NULL == state->obj)
 		return;
@@ -384,7 +385,13 @@ gogo_dim_start (GsfXMLIn *xin, xmlChar const **attrs)
 			   G_OBJECT_TYPE_NAME (state->obj));
 		return;
 	}
-	state->dimension_id = strtoul (dim_str, NULL, 10);
+	state->dimension_id = strtol (dim_str, NULL, 10);
+	gog_dataset_dims (GOG_DATASET (state->obj), &first, &last);
+	if (state->dimension_id < first || state->dimension_id > last) {
+		g_warning ("invalid dimension id %d for class `%s'",
+			   state->dimension_id, G_OBJECT_TYPE_NAME (state->obj));
+		return;
+	}
 
 	if (NULL == type_str) {
 		g_warning ("missing type for dimension `%s' of class `%s'",
@@ -397,6 +404,10 @@ gogo_dim_start (GsfXMLIn *xin, xmlChar const **attrs)
 		g_warning ("unknown type '%s' for dimension `%s' of class `%s'",
 			   type_str, dim_str, G_OBJECT_TYPE_NAME (state->obj));
 		return;
+	} else if (!g_type_is_a (type, GO_TYPE_DATA)) {
+		g_warning ("type '%s' is invalid as dimension `%s' of class `%s'",
+			   type_str, dim_str, G_OBJECT_TYPE_NAME (state->obj));
+		return;
 	}
 	state->dimension = g_object_new (type, NULL);
 
@@ -473,6 +484,10 @@ gogo_prop_start (GsfXMLIn *xin, xmlChar const **attrs)
 			g_warning ("unknown type '%s' for property `%s' of class `%s'",
 				   type_str, prop_str, G_OBJECT_TYPE_NAME (state->obj));
 			return;
+		} else if (!g_type_is_a (type, prop_type)) {
+			g_warning ("invalid type '%s' for property `%s' of class `%s'",
+				   type_str, prop_str, G_OBJECT_TYPE_NAME (state->obj));
+			return;
 		}
 		obj = g_object_new (type, NULL);
 
diff --git a/goffice/utils/go-styled-object.c b/goffice/utils/go-styled-object.c
index 8450dfd..9dd16c9 100644
--- a/goffice/utils/go-styled-object.c
+++ b/goffice/utils/go-styled-object.c
@@ -111,6 +111,7 @@ go_styled_object_set_style (GOStyledObject *gso, GOStyle *style)
 {
 	GOStyledObjectClass *klass = GO_STYLED_OBJECT_GET_CLASS (gso);
 	g_return_val_if_fail (klass != NULL, FALSE);
+	g_return_val_if_fail (style != NULL, FALSE);
 	return (klass->set_style)?
 		klass->set_style (gso, style): FALSE;
 }
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]