From b09d4419877b31898414e50fb3540f96c3cf3e9f Mon Sep 17 00:00:00 2001
From: Viktor Andreev <viktor.andreev@onlyoffice.com>
Date: Tue, 9 Dec 2025 16:43:05 +0600
Subject: [PATCH 1/4] fix bug #78958

(cherry picked from commit e15391ea35727368ddd46b55df2c5fc1ed130361)
---
 .../XlsFile/Format/Logic/Biff_unions/ATTACHEDLABEL_bu.cpp      | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/MsBinaryFile/XlsFile/Format/Logic/Biff_unions/ATTACHEDLABEL_bu.cpp b/MsBinaryFile/XlsFile/Format/Logic/Biff_unions/ATTACHEDLABEL_bu.cpp
index 6b8014ff31..446086413d 100644
--- a/MsBinaryFile/XlsFile/Format/Logic/Biff_unions/ATTACHEDLABEL_bu.cpp
+++ b/MsBinaryFile/XlsFile/Format/Logic/Biff_unions/ATTACHEDLABEL_bu.cpp
@@ -153,7 +153,8 @@ const bool ATTACHEDLABEL::loadContent(BinProcessor& proc)
 	
 	proc.optional<CRTMLFRT>();
 
-	proc.mandatory<End>();			elements_.pop_back();
+	if(proc.mandatory<End>())
+		elements_.pop_back();
 
 	return true;
 }

From 13e2efe7240cfc18d25b6dd99bfc5501017e3842 Mon Sep 17 00:00:00 2001
From: Viktor Andreev <viktor.andreev@onlyoffice.com>
Date: Fri, 5 Dec 2025 16:09:45 +0600
Subject: [PATCH 2/4] fix bug #78955

(cherry picked from commit 6ea64599bd3125f9cad42fc2ad8ff3413e1bb362)
---
 .../XlsFile/Format/Logic/Biff_records/AutoFilter.cpp     | 9 ++++++++-
 .../Format/Logic/Biff_structures/Feat11FdaAutoFilter.cpp | 2 +-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/MsBinaryFile/XlsFile/Format/Logic/Biff_records/AutoFilter.cpp b/MsBinaryFile/XlsFile/Format/Logic/Biff_records/AutoFilter.cpp
index 6fa427b376..5c2b3b7610 100644
--- a/MsBinaryFile/XlsFile/Format/Logic/Biff_records/AutoFilter.cpp
+++ b/MsBinaryFile/XlsFile/Format/Logic/Biff_records/AutoFilter.cpp
@@ -72,7 +72,14 @@ void AutoFilter::readFields(CFRecord& record)
 {
 	size_t pos_record = record.getRdPtr();
 
-	if (size == 0xffffffff) size = record.getDataSize() - pos_record;
+
+	if (size == 0xffffffff)
+		size = record.getDataSize() - pos_record;
+	else if(record.getDataSize() < pos_record + size)
+	{
+		//size error
+		return;
+	}
 
 	if (size > 0)
 	{
diff --git a/MsBinaryFile/XlsFile/Format/Logic/Biff_structures/Feat11FdaAutoFilter.cpp b/MsBinaryFile/XlsFile/Format/Logic/Biff_structures/Feat11FdaAutoFilter.cpp
index 4f56ec0e1e..b19f624915 100644
--- a/MsBinaryFile/XlsFile/Format/Logic/Biff_structures/Feat11FdaAutoFilter.cpp
+++ b/MsBinaryFile/XlsFile/Format/Logic/Biff_structures/Feat11FdaAutoFilter.cpp
@@ -53,7 +53,7 @@ void Feat11FdaAutoFilter::load(CFRecord& record)
 	}
 	record.skipNunBytes(2);	
 
-	if (cbAutoFilter > 0 && cbAutoFilter < 2080)
+	if (cbAutoFilter > 0 && cbAutoFilter < 2080 && (record.getDataSize() - record.getRdPtr()) >=  cbAutoFilter)
 	{
 		recAutoFilter.size = cbAutoFilter;
 		recAutoFilter.readFields(record);

From d373a8cc4caaddeec06089bc703747d3bd099790 Mon Sep 17 00:00:00 2001
From: Viktor Andreev <viktor.andreev@onlyoffice.com>
Date: Thu, 4 Dec 2025 21:19:39 +0600
Subject: [PATCH 3/4] fix bug #78953

(cherry picked from commit 84847f1e74f9a103bdc2eb8f658107365fa4425c)
---
 MsBinaryFile/XlsFile/Format/Logic/Biff_unions/LD.cpp | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/MsBinaryFile/XlsFile/Format/Logic/Biff_unions/LD.cpp b/MsBinaryFile/XlsFile/Format/Logic/Biff_unions/LD.cpp
index dadb527760..488b74af4d 100644
--- a/MsBinaryFile/XlsFile/Format/Logic/Biff_unions/LD.cpp
+++ b/MsBinaryFile/XlsFile/Format/Logic/Biff_unions/LD.cpp
@@ -80,10 +80,11 @@ const bool LD::loadContent(BinProcessor& proc)
 		elements_.pop_back();
 	}
 
-	proc.mandatory<ATTACHEDLABEL>();
-
-	m_ATTACHEDLABEL = elements_.back();
-	elements_.pop_back();
+	if(proc.mandatory<ATTACHEDLABEL>())
+	{
+		m_ATTACHEDLABEL = elements_.back();
+		elements_.pop_back();
+	}
 
 	if (proc.optional<FRAME>())
 	{
@@ -102,7 +103,8 @@ const bool LD::loadContent(BinProcessor& proc)
 		elements_.pop_back();
 	}
 	proc.optional<CRTMLFRT>();
-	proc.mandatory<End>();				elements_.pop_back();
+	if(proc.mandatory<End>())
+		elements_.pop_back();
 	return true;
 }
 

From 037057ea7a6c59e10fffe2edbf6818eb1a9dea5e Mon Sep 17 00:00:00 2001
From: Viktor Andreev <viktor.andreev@onlyoffice.com>
Date: Fri, 5 Dec 2025 20:10:56 +0600
Subject: [PATCH 4/4] fix bug #78960

(cherry picked from commit bebb39a6199c435498352361988ee503cefb12eb)
---
 .../XlsFile/Format/Logic/Biff_records/DataFormat.cpp         | 2 ++
 .../XlsFile/Format/Logic/Biff_records/MarkerFormat.cpp       | 4 ++--
 MsBinaryFile/XlsFile/Format/Logic/Biff_unions/SS.cpp         | 5 +++--
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/MsBinaryFile/XlsFile/Format/Logic/Biff_records/DataFormat.cpp b/MsBinaryFile/XlsFile/Format/Logic/Biff_records/DataFormat.cpp
index 7baa3dc932..1f9959676b 100644
--- a/MsBinaryFile/XlsFile/Format/Logic/Biff_records/DataFormat.cpp
+++ b/MsBinaryFile/XlsFile/Format/Logic/Biff_records/DataFormat.cpp
@@ -55,6 +55,8 @@ void DataFormat::readFields(CFRecord& record)
 	unsigned short flags;
 	record >> xi >> yi >> iss >> flags;
 	fUnknown = GETBIT(flags, 0);
+	if(iss > 1000)
+		iss = 0;
 }
 
 void DataFormat::writeFields(CFRecord& record)
diff --git a/MsBinaryFile/XlsFile/Format/Logic/Biff_records/MarkerFormat.cpp b/MsBinaryFile/XlsFile/Format/Logic/Biff_records/MarkerFormat.cpp
index 51e0900d63..91d1dcd093 100644
--- a/MsBinaryFile/XlsFile/Format/Logic/Biff_records/MarkerFormat.cpp
+++ b/MsBinaryFile/XlsFile/Format/Logic/Biff_records/MarkerFormat.cpp
@@ -148,7 +148,7 @@ int MarkerFormat::serialize(std::wostream & _stream, int index, BaseObjectPtr _G
 						{
 							CP_XML_NODE(L"a:srgbClr")
 							{
-								CP_XML_ATTR(L"val", (false == fAuto || index < 0) ? rgbBack.strRGB : default_marker_color[index]);
+								CP_XML_ATTR(L"val", (false == fAuto || index < 0 || index > default_marker_color->size()) ? rgbBack.strRGB : default_marker_color[index]);
 							}
 						}
 					}
@@ -158,7 +158,7 @@ int MarkerFormat::serialize(std::wostream & _stream, int index, BaseObjectPtr _G
 						{
 							CP_XML_NODE(L"a:srgbClr")
 							{
-								CP_XML_ATTR(L"val", (false == fAuto || index < 0) ? rgbFore.strRGB : default_marker_color[index]);
+								CP_XML_ATTR(L"val", (false == fAuto || index < 0 || index > default_marker_color->size()) ? rgbFore.strRGB : default_marker_color[index]);
 							}
 						}
 						CP_XML_NODE(L"a:prstDash") { CP_XML_ATTR(L"val", L"solid"); }
diff --git a/MsBinaryFile/XlsFile/Format/Logic/Biff_unions/SS.cpp b/MsBinaryFile/XlsFile/Format/Logic/Biff_unions/SS.cpp
index 72249f59a4..a4ee62db98 100644
--- a/MsBinaryFile/XlsFile/Format/Logic/Biff_unions/SS.cpp
+++ b/MsBinaryFile/XlsFile/Format/Logic/Biff_unions/SS.cpp
@@ -305,7 +305,7 @@ int SS::serialize_default(std::wostream & _stream, int series_type, int ind )
 				if ((line) && (line->lns == (_UINT16)5)) ind = -1;
 			}
 
-			if (ind >= 0 && m_isAutoLine)
+			if (ind >= 0 && default_series_line_color->size() > ind &&  m_isAutoLine)
 			{
 				CP_XML_NODE(L"a:ln")
 				{
@@ -444,7 +444,8 @@ int SS::serialize(std::wostream & _stream, int series_type, int indPt)
 						{
 							CP_XML_NODE(L"a:srgbClr")
 							{
-								CP_XML_ATTR(L"val",  default_series_line_color[ind]);		
+								if(default_series_line_color->size() > ind)
+									CP_XML_ATTR(L"val",  default_series_line_color[ind]);
 							}
 						}
 						CP_XML_NODE(L"a:prstDash")