[gnumeric] xlsx: fix fuzzed file NULL deref.

[Morten Welinder <mortenw src gnome org>]

commit 50362e27c308ab01c39257e826f49cf1ed0e29ed
Author: Morten Welinder <terra gnome org>
Date:   Sat May 9 16:24:16 2015 -0400

    xlsx: fix fuzzed file NULL deref.

 NEWS                              |    4 ++--
 plugins/excel/ChangeLog           |    4 ++++
 plugins/excel/xlsx-read-drawing.c |   13 ++++++++++---
 3 files changed, 16 insertions(+), 5 deletions(-)
---
diff --git a/NEWS b/NEWS
index 890cdec..a5d8203 100644
--- a/NEWS
+++ b/NEWS
@@ -14,8 +14,8 @@ Morten:
        * Fix xlsx save crash related to shared strings.  [#748477]
        * Solver code refactoring.
        * Plug leaks.
-       * Fuzzed file fixes.  [#748595]  [#748597] [#749031] [#749030]
-         [#749069] [#748533] [#749118]
+       * Fuzzed file fixes.  [#748595] [#748597] [#749031] [#749030]
+         [#749069] [#748533] [#749118] [#749166]
        * Make solver check linearity of model.
 
 --------------------------------------------------------------------------
diff --git a/plugins/excel/ChangeLog b/plugins/excel/ChangeLog
index 396468d..8ec2bab 100644
--- a/plugins/excel/ChangeLog
+++ b/plugins/excel/ChangeLog
@@ -1,5 +1,9 @@
 2015-05-09  Morten Welinder  <terra gnome org>
 
+       * xlsx-read-drawing.c (xlsx_read_chart): Handle missing series.
+       [#749166]
+       (xlsx_read_chart): Free left-over styles.
+
        * ms-excel-read.c (excel_read_NAME): Take record length into
        account.
 
diff --git a/plugins/excel/xlsx-read-drawing.c b/plugins/excel/xlsx-read-drawing.c
index 742b6c6..d2a877d 100644
--- a/plugins/excel/xlsx-read-drawing.c
+++ b/plugins/excel/xlsx-read-drawing.c
@@ -3061,7 +3061,7 @@ xlsx_read_chart (GsfXMLIn *xin, xmlChar const **attrs)
                xlsx_parse_rel_by_id (xin, part_id, xlsx_chart_dtd, xlsx_ns);
 
                if (NULL != state->obj_stack) {
-                       g_warning ("left over content on chart object stack");
+                       g_warning ("left-over content on chart object stack");
                        g_slist_free (state->obj_stack);
                        state->obj_stack = NULL;
                }
@@ -3071,7 +3071,13 @@ xlsx_read_chart (GsfXMLIn *xin, xmlChar const **attrs)
                g_object_unref (state->cur_style);
                state->cur_style = NULL;
                if (NULL != state->style_stack) {
-                       g_warning ("left over style");
+                       GSList *l;
+                       g_warning ("left-over style");
+                       for (l = state->style_stack; l; l = l->next) {
+                               GOStyle *style = l->data;
+                               if (style)
+                                       g_object_unref (style);
+                       }
                        g_slist_free (state->style_stack);
                        state->style_stack = NULL;
                }
@@ -3087,7 +3093,8 @@ xlsx_read_chart (GsfXMLIn *xin, xmlChar const **attrs)
                                        GSList *plots = gog_chart_get_plots (state->chart);
                                        if (plots != NULL && plots->data != NULL) {
                                                GogPlot *plot = GOG_PLOT (plots->data);
-                                               GogDataset *ds = plot? GOG_DATASET (gog_plot_get_series  
(plot)->data): NULL;
+                                               GSList const *series = plot ? gog_plot_get_series  (plot) : 
NULL;
+                                               GogDataset *ds = series ? GOG_DATASET (series->data) : NULL;
                                                if (ds)
                                                        dat = gog_dataset_get_dim (ds, -1);
                                                if (dat)