[goffice] Fuzzed file fix. [#751059]

From: Jean Bréfort <jbrefort src gnome org>
To: commits-list gnome org
Cc:
Subject: [goffice] Fuzzed file fix. [#751059]
Date: Fri, 19 Jun 2015 13:17:04 +0000 (UTC)
commit e9559837a093042a4c7f9c0d6dd108df054487d1
Author: Jean Brefort <jean brefort normalesup org>
Date:   Fri Jun 19 15:16:42 2015 +0200

    Fuzzed file fix.  [#751059]

 ChangeLog                         |    7 +++++++
 NEWS                              |    2 +-
 plugins/plot_barcol/gog-barcol.c  |    6 +++++-
 plugins/plot_barcol/gog-dropbar.c |    6 +++++-
 plugins/plot_barcol/gog-line.c    |    6 +++++-
 5 files changed, 23 insertions(+), 4 deletions(-)
---
diff --git a/ChangeLog b/ChangeLog
index cb4ddf0..b013554 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2015-06-19  Jean Brefort  <jean brefort normalesup org>
+
+       * plugins/plot_barcol/gog-barcol.c (gog_barcol_view_render): protect
+       against wrong series number. [#751059]
+       * plugins/plot_barcol/gog-dropbar.c (gog_dropbar_view_render):
+       * plugins/plot_barcol/gog-line.c (gog_line_view_render):
+
 2015-06-18  Morten Welinder  <terra gnome org>
 
        * goffice/app/go-doc.c (go_doc_image_fetch): Sanity check image
diff --git a/NEWS b/NEWS
index 35cbe5e..9a0aa35 100644
--- a/NEWS
+++ b/NEWS
@@ -2,7 +2,7 @@ goffice 0.10.23:
 
 Jean:
        * Disable metafiles support when there is no screen. [#748493]
-       * Fuzzed file fix.  [#750860]
+       * Fuzzed file fix.  [#750860] [#751059]
 
 Morten:
        * Fix ABR [#749167]
diff --git a/plugins/plot_barcol/gog-barcol.c b/plugins/plot_barcol/gog-barcol.c
index df568df..317fb84 100644
--- a/plugins/plot_barcol/gog-barcol.c
+++ b/plugins/plot_barcol/gog-barcol.c
@@ -613,7 +613,7 @@ gog_barcol_view_render (GogView *view, GogViewAllocation const *bbox)
        label_pos = g_alloca (num_series * sizeof (gpointer));
 
        i = 0;
-       for (ptr = gog_1_5d_model->base.series ; ptr != NULL ; ptr = ptr->next, i++) {
+       for (ptr = gog_1_5d_model->base.series ; ptr != NULL && i < num_series ; ptr = ptr->next, i++) {
                series = ptr->data;
                base_series = GOG_SERIES (series);
                if (!gog_series_is_valid (base_series)) {
@@ -651,6 +651,10 @@ gog_barcol_view_render (GogView *view, GogViewAllocation const *bbox)
                } else
                        label_pos[i] = NULL;
        }
+       if (ptr != NULL || i != num_series) {
+               g_warning ("Wrong series number in bar/col plot");
+               num_series = i;
+       }
 
        /* work in coordinates drawing bars from the top */
        col_step = 1. - model->overlap_percentage / 100.;
diff --git a/plugins/plot_barcol/gog-dropbar.c b/plugins/plot_barcol/gog-dropbar.c
index be5ebfe..14957b0 100644
--- a/plugins/plot_barcol/gog-dropbar.c
+++ b/plugins/plot_barcol/gog-dropbar.c
@@ -295,7 +295,7 @@ gog_dropbar_view_render (GogView *view, GogViewAllocation const *bbox)
        offset = - (step * (num_series - 1.0) + work.w) / 2.0;
 
 
-       for (ptr = gog_1_5d_model->base.series ; ptr != NULL ; ptr = ptr->next) {
+       for (ptr = gog_1_5d_model->base.series ; ptr != NULL && j < num_series; ptr = ptr->next) {
                series = ptr->data;
                base_series = GOG_SERIES (series);
                if (!gog_series_is_valid (base_series)) {
@@ -379,6 +379,10 @@ gog_dropbar_view_render (GogView *view, GogViewAllocation const *bbox)
                g_object_unref (neg_style);
                j++;
        }
+       if (ptr != NULL || j != num_series) {
+               g_warning ("Wrong series number in dropbar plot");
+               num_series = j;
+       }
        for (j = 0; j < num_series; j++)
                if (path1[j] != NULL) {
                        gog_renderer_push_style (view->renderer,
diff --git a/plugins/plot_barcol/gog-line.c b/plugins/plot_barcol/gog-line.c
index cb9e5cf..60fcc1e 100644
--- a/plugins/plot_barcol/gog-line.c
+++ b/plugins/plot_barcol/gog-line.c
@@ -974,7 +974,7 @@ gog_line_view_render (GogView *view, GogViewAllocation const *bbox)
        drop_paths = g_alloca (num_series * sizeof (GOPath *));
 
        i = 0;
-       for (ptr = model->base.series ; ptr != NULL ; ptr = ptr->next) {
+       for (ptr = model->base.series ; ptr != NULL && i < num_series ; ptr = ptr->next) {
                series[i] = ptr->data;
                base_series = GOG_SERIES (ptr->data);
 
@@ -1011,6 +1011,10 @@ gog_line_view_render (GogView *view, GogViewAllocation const *bbox)
                        lines[i] = NULL;
                i++;
        }
+       if (ptr != NULL || i != num_series) {
+               g_warning ("Wrong series number in bar/col plot");
+               num_series = i;
+       }
 
        for (j = 0; j < num_elements; j++) {
                sum = abs_sum = 0.0;
[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]