GNOME.org
 

[gnumeric] Fuzzed file fix. [#760546]

commit 93cfab0f3d812e9949629c4df17122ffe4284b9c
Author: Jean Brefort <jean brefort normalesup org>
Date:   Wed Jan 13 14:19:35 2016 +0100

    Fuzzed file fix.  [#760546]

 NEWS                     |    3 +++
 plugins/excel/ChangeLog  |    4 ++++
 plugins/excel/ms-chart.c |   14 ++++++++------
 3 files changed, 15 insertions(+), 6 deletions(-)
---
diff --git a/NEWS b/NEWS
index 6312269..a2b98a0 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,9 @@ Andreas:
        * Read/write zoom values to/from ODF files in LO compatible way. [#700013]
        * Read new attribute to am/pm element in ODF import. [#760043]
 
+Jean:
+       * Fuzzed file fixes.  [#760546]
+
 Morten:
        * Teach ssconvert to split sheets into separate .txt files [#694408]
        * Improve test suite.
diff --git a/plugins/excel/ChangeLog b/plugins/excel/ChangeLog
index ae68f79..b9cf3d1 100644
--- a/plugins/excel/ChangeLog
+++ b/plugins/excel/ChangeLog
@@ -1,3 +1,7 @@
+2016-01-13  Jean Brefort  <jean brefort normalesup org>
+
+       * ms-chart.c (end): Add missing array length check. Fixes #760546.
+
 2016-01-07  Morten Welinder  <terra gnome org>
 
        * ms-obj.c (ms_obj_read_biff8_obj): Add missing length check for
diff --git a/plugins/excel/ms-chart.c b/plugins/excel/ms-chart.c
index b2bd5e9..9ce59f4 100644
--- a/plugins/excel/ms-chart.c
+++ b/plugins/excel/ms-chart.c
@@ -3049,9 +3049,10 @@ not_a_matrix:
                                        } else
                                                eseries->extra_dim = GOG_MS_DIM_END;
                                }
-                               while (eseries = g_ptr_array_index (s->series, k++),
-                                                       eseries && eseries->chart_group != s->plot_counter)
-                                       if (k == s->series->len) {
+                               eseries = NULL;
+                               while (k < l && (eseries = g_ptr_array_index (s->series, k++),
+                                                       eseries && eseries->chart_group != s->plot_counter))
+                                       if (k == l) {
                                                eseries = NULL;
                                                break;
                                        }
@@ -3079,9 +3080,10 @@ not_a_matrix:
                                for (n = 0; n <= added_plots; n++)
                                        gog_object_reorder (plot, TRUE, FALSE);
                                series = gog_plot_new_series (GOG_PLOT (plot));
-                               while (eseries = g_ptr_array_index (s->series, k++),
-                                                       eseries && eseries->chart_group != s->plot_counter)
-                                       if (k == s->series->len) {
+                               eseries = NULL;
+                               while (k < l && (eseries = g_ptr_array_index (s->series, k++),
+                                                       eseries && eseries->chart_group != s->plot_counter))
+                                       if (k == l) {
                                                eseries = NULL;
                                                break;
                                        }
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]