[gnumeric] Fuzzed file fixes. [#751217]

From: Jean Bréfort <jbrefort src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnumeric] Fuzzed file fixes. [#751217]
Date: Tue, 23 Jun 2015 14:07:08 +0000 (UTC)

commit 8cdb241581e769af65c98e650dafa40a5b0cc859
Author: Jean Brefort <jean brefort normalesup org>
Date:   Tue Jun 23 16:05:35 2015 +0200

    Fuzzed file fixes.  [#751217]

 ChangeLog          |    5 +++++
 NEWS               |    2 +-
 src/xml-sax-read.c |    9 +++++----
 3 files changed, 11 insertions(+), 5 deletions(-)
---
diff --git a/ChangeLog b/ChangeLog
index f0d59cf..9f3f757 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2015-06-23  Jean Brefort  <jean brefort normalesup org>
+
+       * src/xml-sax-read.c (gnm_xml_finish_obj), (xml_sax_read_obj),
+       (xml_sax_object_end): ensure we always use the right state. [#751217]
+
 2015-06-22  Andreas J. Guelzow <aguelzow pyrshep ca>
 
        * samples/excel/engfuns.xls: update to use correct lbm->g conversion
diff --git a/NEWS b/NEWS
index 79f8c68..6426373 100644
--- a/NEWS
+++ b/NEWS
@@ -14,7 +14,7 @@ Andreas:
 Jean:
        * Fix xlsx import of plot area manual layout. [#748016]
        * Fix out of bounds read. [#749121]
-       * Fuzzed file fixes.  [#750042] [#751270] [#751271]
+       * Fuzzed file fixes.  [#750042] [751217] [#751270] [#751271]
 
 Morten:
        * Fix import/export of graph backplane.
diff --git a/src/xml-sax-read.c b/src/xml-sax-read.c
index 55f8b38..3dc0f93 100644
--- a/src/xml-sax-read.c
+++ b/src/xml-sax-read.c
@@ -428,9 +428,8 @@ gnm_xml_in_cur_sheet (GsfXMLIn const *xin)
 }
 
 static void
-gnm_xml_finish_obj (GsfXMLIn *xin)
+gnm_xml_finish_obj (GsfXMLIn *xin, XMLSaxParseState *state)
 {
-       XMLSaxParseState *state = (XMLSaxParseState *)xin->user_state;
        GnmCellRegion *cr = state->clipboard;
 
        if (cr) {
@@ -2439,7 +2438,9 @@ xml_sax_read_obj (GsfXMLIn *xin, gboolean needs_cleanup,
                        doc = gsf_xml_in_doc_new (dtd, NULL);
                        gnm_xml_in_doc_dispose_on_exit (&doc);
                }
-               gsf_xml_in_push_state (xin, doc, NULL,
+               /* we need to pas state there because xin->user_state might have
+                        changed, see #751217 */
+               gsf_xml_in_push_state (xin, doc, state,
                        (GsfXMLInExtDtor) gnm_xml_finish_obj, attrs);
        }
 }
@@ -2455,7 +2456,7 @@ xml_sax_object_start (GsfXMLIn *xin, xmlChar const **attrs)
 static void
 xml_sax_object_end (GsfXMLIn *xin, G_GNUC_UNUSED GsfXMLBlob *blob)
 {
-       gnm_xml_finish_obj (xin);
+       gnm_xml_finish_obj (xin, xin->user_state);
        /*
         * WARNING: the object is not completely finished at this
         * time.  Any handler installed by gog_object_sax_push_parser

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]