Commit e994b025 authored by Jean Bréfort's avatar Jean Bréfort

Fuzzed files fixes. [#751968] [#751969] [#751971]

parent 7b02d793
2015-07-05 Jean Brefort <jean.brefort@normalesup.org>
* src/sheet-object-graph.c (vector_end): fix array overflow. [#751971]
2015-07-04 Andreas J. Guelzow <aguelzow@pyrshep.ca>
* src/value.c (value_compare_real): handle two empty values however
......
......@@ -16,7 +16,8 @@ Jean:
* Fix out of bounds read. [#749121]
* Fuzzed file fixes. [#750042] [#751217] [#751270] [#751271]
[#751383] [#751384] [#751758] [#751744] [#751908] [#751920]
[#751249] [#751945] [#751909] [#751946]
[#751249] [#751945] [#751909] [#751946] [#751968] [#751969]
[#751971]
Morten:
* Fix import/export of graph backplane.
......
2015-07-05 Jean Brefort <jean.brefort@normalesup.org>
* ms-chart.c (end): one more NULL value issue. [#751969]
* ms-excel-read.c (sst_read_string): fix test with undsigned integer.
Fixs #751968.
2015-07-04 Jean Brefort <jean.brefort@normalesup.org>
* ms-excel-read.c (excel_read_FONT): don't read missing data. [#751909]
......
......@@ -2827,16 +2827,18 @@ BC_R(end)(XLChartHandler const *handle,
if (!gnm_expr_top_is_rangeref (texpr))
goto not_a_matrix;
value = gnm_expr_top_get_range (texpr);
if ((as_col && (value->v_range.cell.a.col != col ||
value->v_range.cell.a.row != row_start)) ||
(! as_col && (value->v_range.cell.a.col != col_start ||
value->v_range.cell.a.row != row))) {
is_matrix = FALSE;
if (value) {
if ((as_col && (value->v_range.cell.a.col != col ||
value->v_range.cell.a.row != row_start)) ||
(! as_col && (value->v_range.cell.a.col != col_start ||
value->v_range.cell.a.row != row))) {
is_matrix = FALSE;
value_release (value);
break;
}
value_release (value);
break;
has_labels = TRUE;
}
value_release (value);
has_labels = TRUE;
}
cur = eseries->data [GOG_MS_DIM_CATEGORIES].data;
if (cur && cat_expr &&
......
......@@ -1283,7 +1283,7 @@ sst_read_string (BiffQuery *q, MSContainer const *c,
pango_attr_list_unref (txo_run.accum);
return offset;
}
if ((q->length - offset) >= 4) {
if ((q->length >= offset + 4)) {
guint16 o = GSF_LE_GET_GUINT16 (q->data + offset);
size_t l = strlen (res_str);
txo_run.last = g_utf8_offset_to_pointer (res_str, MIN (o, l)) - res_str;
......
......@@ -850,7 +850,7 @@ vector_end (GsfXMLIn *xin, G_GNUC_UNUSED GsfXMLBlob *unknown)
{
GuppiReadState *state = (GuppiReadState *) xin->user_state;
GOData *data;
if (state->cur_index > 255)
if (state->cur_index >= state->max_data)
return;
data = g_object_new (GNM_GO_DATA_VECTOR_TYPE, NULL);
go_data_unserialize (data, xin->content->str, (void*) state->convs);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment