[goffice] Fuzzed file fix.

[Morten Welinder <mortenw src gnome org>]

commit b57dbdc033815c238d7429badbe187f2e3593e32
Author: Morten Welinder <terra gnome org>
Date:   Tue May 12 16:24:43 2015 -0400

    Fuzzed file fix.

 ChangeLog                    |    6 ++++++
 NEWS                         |    1 +
 goffice/graph/gog-renderer.c |   18 +++++++++++++-----
 3 files changed, 20 insertions(+), 5 deletions(-)
---
diff --git a/ChangeLog b/ChangeLog
index c169f4d..ce8202a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-05-12  Morten Welinder  <terra gnome org>
+
+       * goffice/graph/gog-renderer.c (gog_renderer_get_pixbuf): Handle
+       degenerate image size.
+       (gog_renderer_export_image): Limit size to shield cairo.  Fixes #749274.
+
 2015-05-09  Morten Welinder  <terra gnome org>
 
        * goffice/utils/go-format.c (go_format_parse): Don't read beyond
diff --git a/NEWS b/NEWS
index 1ebb503..56ec2bd 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,7 @@ Jean:
 
 Morten:
        * Fix ABR [#749167]
+       * Shield Cairo from image sizes it cannot handle.  [#749274]
 
 --------------------------------------------------------------------------
 goffice 0.10.22:
diff --git a/goffice/graph/gog-renderer.c b/goffice/graph/gog-renderer.c
index 7fb47bd..5627181 100644
--- a/goffice/graph/gog-renderer.c
+++ b/goffice/graph/gog-renderer.c
@@ -1453,12 +1453,16 @@ gog_renderer_get_pixbuf (GogRenderer *rend)
        if (rend->pixbuf == NULL) {
                int width = cairo_image_surface_get_width (rend->cairo_surface);
                int height = cairo_image_surface_get_height (rend->cairo_surface);
-               int rowstride = cairo_image_surface_get_stride (rend->cairo_surface);
-               unsigned char *data = cairo_image_surface_get_data (rend->cairo_surface);
 
-               rend->pixbuf = gdk_pixbuf_new_from_data (data, GDK_COLORSPACE_RGB, TRUE, 8,
-                                                        width, height, rowstride, NULL, NULL);
-               go_cairo_convert_data_to_pixbuf (data, NULL, width, height, rowstride);
+               if (width <= 0 || height <= 0)
+                       rend->pixbuf = gdk_pixbuf_new (GDK_COLORSPACE_RGB, TRUE, 8, 1, 1);
+               else {
+                       int rowstride = cairo_image_surface_get_stride (rend->cairo_surface);
+                       unsigned char *data = cairo_image_surface_get_data (rend->cairo_surface);
+                       rend->pixbuf = gdk_pixbuf_new_from_data (data, GDK_COLORSPACE_RGB, TRUE, 8,
+                                                                width, height, rowstride, NULL, NULL);
+                       go_cairo_convert_data_to_pixbuf (data, NULL, width, height, rowstride);
+               }
        }
 
        return rend->pixbuf;
@@ -1577,6 +1581,10 @@ gog_renderer_export_image (GogRenderer *rend, GOImageFormat format,
 
        gog_graph_get_size (rend->model, &width_in_pts, &height_in_pts);
 
+       /* Prevent Cairo from faulting.  */
+       width_in_pts = CLAMP (width_in_pts, 1, 32767 * 72.0 / x_dpi);
+       height_in_pts = CLAMP (height_in_pts, 1, 32767 * 72.0 / y_dpi);
+
        switch (format) {
                case GO_IMAGE_FORMAT_EPS:
                        rend->marker_as_surface = FALSE;