[goffice] Fuzzed file fix. [#751256]

[Jean Bréfort <jbrefort src gnome org>]

commit d83c946deca6e66ea4360cd7054d700fe2b5f434
Author: Jean Brefort <jean brefort normalesup org>
Date:   Sun Jun 21 08:01:22 2015 +0200

    Fuzzed file fix. [#751256]

 ChangeLog                |    5 +++++
 NEWS                     |    2 +-
 plugins/plot_xy/gog-xy.c |    7 ++++++-
 3 files changed, 12 insertions(+), 2 deletions(-)
---
diff --git a/ChangeLog b/ChangeLog
index b013554..6990f3b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2015-06-21  Jean Brefort  <jean brefort normalesup org>
+
+       * plugins/plot_xy/gog-xy.c (gog_xy_view_render): protect against wrong
+       series element index. [#751256]
+
 2015-06-19  Jean Brefort  <jean brefort normalesup org>
 
        * plugins/plot_barcol/gog-barcol.c (gog_barcol_view_render): protect
diff --git a/NEWS b/NEWS
index 9a0aa35..6e96642 100644
--- a/NEWS
+++ b/NEWS
@@ -2,7 +2,7 @@ goffice 0.10.23:
 
 Jean:
        * Disable metafiles support when there is no screen. [#748493]
-       * Fuzzed file fix.  [#750860] [#751059]
+       * Fuzzed file fix.  [#750860] [#751059] [#751256]
 
 Morten:
        * Fix ABR [#749167]
diff --git a/plugins/plot_xy/gog-xy.c b/plugins/plot_xy/gog-xy.c
index 1c17edd..ba724b6 100644
--- a/plugins/plot_xy/gog-xy.c
+++ b/plugins/plot_xy/gog-xy.c
@@ -1461,9 +1461,14 @@ gog_xy_view_render (GogView *view, GogViewAllocation const *bbox)
                                gog_renderer_pop_style (view->renderer);
                                g_free (markers[j]);
                        } else if (overrides != NULL) {
-                               gog_series_get_xy_data (GOG_SERIES (series), &x_vals, &y_vals);
+                               n = gog_series_get_xy_data (GOG_SERIES (series), &x_vals, &y_vals);
                                while (overrides != NULL) {
                                        gse = GOG_SERIES_ELEMENT (overrides->data);
+                                       if (gse->index >= n) {
+                                               g_warning ("Invalid series element index");
+                                               overrides = overrides->next;
+                                               continue;
+                                       }
                                        x = x_vals ? x_vals[gse->index] : gse->index + 1;
                                        y = y_vals[gse->index];
                                        if (gog_axis_map_finite (y_map, y) && gog_axis_map_finite (x_map, x)) 
{