SLFO-pool/gnuplot
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main gnuplot revision 7c7dfe1979911a001201772b4a3f2040

Browse Source
This commit is contained in:
Adrian Schröter
2025-05-28 11:13:27 +02:00
parent 72f9b49a8d
commit 3bb54d9b8f
10 changed files with 470 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

75
fix4bug1240325.patch Normal file
View File

@@ -0,0 +1,75 @@
commit b456a3ef618f55a20b3071d336cb20514274f1d4
Author: Ethan A Merritt <merritt@u.washington.edu>
Date: Tue Mar 11 12:31:54 2025 -0700
guard against invalid read from plot->labels
If a plot style uses points and the point chosen has PT_CHARACTER
then the program looks for a possible font in plot->labels->font.
These plot styles contain a flag bit HAS_POINT (gp_types.h).
The program makes sure to initialize plot->labels for these styles.
However a problem arises when a plot style that doesn't use points
nevertheless triggers this same attempted font lookup by using a
linetype that happens to use pointtype PT_CHARACTER.
I think this is only possible with 'splot' but I added parallel
checks for 'plot' as well.
Bug 2776
diff --git src/boundary.c src/boundary.c
index e787de3f1..941635f7a 100644
--- src/boundary.c
+++ src/boundary.c
@@ -1468,7 +1468,7 @@ do_key_sample_point(
(*t->pointsize)(pointsize);
if (on_page(xl + key_point_offset, yl)) {
if (this_plot->lp_properties.p_type == PT_CHARACTER) {
- if (this_plot->labels->textcolor.type != TC_DEFAULT)
+ if (this_plot->labels && this_plot->labels->textcolor.type != TC_DEFAULT)
apply_pm3dcolor(&(this_plot->labels->textcolor));
(*t->put_text) (xl + key_point_offset, yl,
this_plot->lp_properties.p_char);
diff --git src/graph3d.c src/graph3d.c
index bda614b7a..74ae8d558 100644
--- src/graph3d.c
+++ src/graph3d.c
@@ -2164,7 +2164,7 @@ plot3d_points(struct surface_points *plot)
/* Set whatever we can that applies to every point in the loop */
if (plot->lp_properties.p_type == PT_CHARACTER) {
ignore_enhanced(TRUE);
- if (plot->labels->font && plot->labels->font[0])
+ if (plot->labels && plot->labels->font && plot->labels->font[0])
(*t->set_font) (plot->labels->font);
(*t->justify_text) (CENTRE);
}
@@ -2260,7 +2260,7 @@ plot3d_points(struct surface_points *plot)
/* Return to initial state */
if (plot->lp_properties.p_type == PT_CHARACTER) {
- if (plot->labels->font && plot->labels->font[0])
+ if (plot->labels && plot->labels->font && plot->labels->font[0])
(*t->set_font) ("");
ignore_enhanced(FALSE);
}
diff --git src/graphics.c src/graphics.c
index 083cb61f4..f68ef7096 100644
--- src/graphics.c
+++ src/graphics.c
@@ -2649,7 +2649,7 @@ plot_points(struct curve_points *plot)
/* Set whatever we can that applies to every point in the loop */
if (plot->lp_properties.p_type == PT_CHARACTER) {
ignore_enhanced(TRUE);
- if (plot->labels->font && plot->labels->font[0])
+ if (plot->labels && plot->labels->font && plot->labels->font[0])
(*t->set_font) (plot->labels->font);
(*t->justify_text) (CENTRE);
}
@@ -2781,7 +2781,7 @@ plot_points(struct curve_points *plot)
/* Return to initial state */
if (plot->lp_properties.p_type == PT_CHARACTER) {
- if (plot->labels->font && plot->labels->font[0])
+ if (plot->labels && plot->labels->font && plot->labels->font[0])
(*t->set_font) ("");
ignore_enhanced(FALSE);
}

30
fix4bug1240326.patch Normal file
View File

@@ -0,0 +1,30 @@
commit 226809aebb345e74d371bb43a2b434b490be527a
Author: Ethan A Merritt <merritt@u.washington.edu>
Date: Wed Jan 15 11:56:13 2025 -0800
dumb: more stringent tests against y bound of dumb terminal charcell array
Bug 2756
diff --git term/dumb.trm term/dumb.trm
index 498e27fc6..fdc94fbf5 100644
--- term/dumb.trm
+++ term/dumb.trm
@@ -801,7 +801,7 @@ DUMB_put_text(unsigned int x, unsigned int y, const char *str)
{
int i, length;
- if (y > dumb_ymax)
+ if (y < 0 || y > dumb_ymax)
return;
length = gp_strlen(str);
@@ -949,7 +949,7 @@ ENHdumb_FLUSH()
y += i;
/* print the string fragment, perhaps invisibly */
- if (ENHdumb_show && y < dumb_ymax) {
+ if (ENHdumb_show && (0 <= y && y < dumb_ymax)) {
for (i = 0; i < len && x < dumb_xmax; i++, x++) {
utf8_copy_one( (char *)(&DUMB_PIXEL(x, y)), gp_strchrn(str,i));
#ifndef NO_DUMB_COLOR_SUPPORT

84
fix4bug1240327.patch Normal file
View File

@@ -0,0 +1,84 @@
commit b78cc829a18e9436daaa859c96f3970157f3171e
Author: Ethan A Merritt <merritt@u.washington.edu>
Date: Tue Jan 14 21:23:19 2025 -0800
use snprintf to protect against garbage user-supplied mouse format
Bug 2754
diff --git src/mouse.c src/mouse.c
index 4d1362130..95266738b 100644
--- src/mouse.c
+++ src/mouse.c
@@ -270,7 +270,7 @@ static void alert(void);
static void MousePosToGraphPosReal(int xx, int yy, double *x, double *y, double *x2, double *y2);
static char *xy_format(void);
static char *zoombox_format(void);
-static char *GetAnnotateString(char *s, double x, double y, int mode, char *fmt);
+static char *GetAnnotateString(char *s, size_t len, double x, double y, int mode, char *fmt);
static char *xDateTimeFormat(double x, char *b, int mode);
static void GetRulerString(char *p, double x, double y);
static void apply_zoom(struct t_zoom * z);
@@ -524,7 +524,7 @@ zoombox_format()
/* formats the information for an annotation (middle mouse button clicked)
*/
static char *
-GetAnnotateString(char *s, double x, double y, int mode, char *fmt)
+GetAnnotateString(char *s, size_t len, double x, double y, int mode, char *fmt)
{
if (axis_array[FIRST_X_AXIS].datatype == DT_DMS
|| axis_array[FIRST_Y_AXIS].datatype == DT_DMS) {
@@ -579,11 +579,11 @@ GetAnnotateString(char *s, double x, double y, int mode, char *fmt)
r = rmin + x/cos(phi);
if (fmt)
- sprintf(s, fmt, theta, r);
+ snprintf(s, len, fmt, theta, r);
else
sprintf(s, "theta: %.1f%s r: %g", theta, degree_sign, r);
} else if ((mode == MOUSE_COORDINATES_ALT) && fmt) {
- sprintf(s, fmt, x, y); /* user defined format */
+ snprintf(s, len, fmt, x, y); /* user defined format */
} else if (mode == MOUSE_COORDINATES_FUNCTION) {
/* EXPERIMENTAL !!! */
t_value original_x, original_y;
@@ -606,7 +606,7 @@ GetAnnotateString(char *s, double x, double y, int mode, char *fmt)
gpfree_string(&readout);
} else {
/* Default format ("set mouse mouseformat" is not active) */
- sprintf(s, xy_format(), x, y); /* usual x,y values */
+ snprintf(s, len, xy_format(), x, y); /* usual x,y values */
}
return s + strlen(s);
}
@@ -1020,10 +1020,10 @@ UpdateStatuslineWithMouseSetting(mouse_setting_t * ms)
strcat(format, ms->fmt);
strcat(format, ", ");
strcat(format, ms->fmt);
- sprintf(s0, format, surface_rot_x, surface_rot_z, surface_scale, surface_zscale);
+ snprintf(s0, 255, format, surface_rot_x, surface_rot_z, surface_scale, surface_zscale);
} else if (!TICS_ON(axis_array[SECOND_X_AXIS].ticmode) && !TICS_ON(axis_array[SECOND_Y_AXIS].ticmode)) {
/* only first X and Y axis are in use */
- sp = GetAnnotateString(s0, real_x, real_y, mouse_mode, mouse_alt_string);
+ sp = GetAnnotateString(s0, 255, real_x, real_y, mouse_mode, mouse_alt_string);
if (ruler.on)
GetRulerString(sp, real_x, real_y);
} else {
@@ -2286,7 +2286,7 @@ event_buttonrelease(struct gp_event_t *ge)
* only place, if the user didn't drag (rotate) the plot */
if (!is_3d_plot || !motion) {
- GetAnnotateString(s0, real_x, real_y, mouse_mode, mouse_alt_string);
+ GetAnnotateString(s0, 255, real_x, real_y, mouse_mode, mouse_alt_string);
term->set_clipboard(s0);
if (display_ipc_commands()) {
fprintf(stderr, "put `%s' to clipboard.\n", s0);
@@ -2302,7 +2302,7 @@ event_buttonrelease(struct gp_event_t *ge)
/* draw temporary annotation or label. For 3d plots this is
* only done if the user didn't drag (scale) the plot */
if (!is_3d_plot || !motion) {
- GetAnnotateString(s0, real_x, real_y, mouse_mode, mouse_alt_string);
+ GetAnnotateString(s0, 255, real_x, real_y, mouse_mode, mouse_alt_string);
if (mouse_setting.label) {
if (modifier_mask & Mod_Ctrl) {
remove_label(mouse_x, mouse_y);

107
fix4bug1240328.patch Normal file
View File

@@ -0,0 +1,107 @@
commit ed647df512786b3c94429dd5c864715301e03ea5
Author: Ethan A Merritt <merritt@u.washington.edu>
Date: Tue Mar 11 16:31:23 2025 -0700
guard against trying to format a huge number as a time
The time formatting code does not handle time_in_seconds > 1.e12
(sometime in the year 33658).
Bug 2779
diff --git src/mouse.c src/mouse.c
index ba0609290..a6110f5ff 100644
--- src/mouse.c
+++ src/mouse.c
@@ -619,6 +619,11 @@ static char *
xDateTimeFormat(double x, char *b, int mode)
{
struct tm tm;
+ if (fabs(x) > 1.e12) { /* Some time in the year 33688 */
+ int_warn(NO_CARET, "time value out of range");
+ *b = '\0';
+ return b;
+ }
switch (mode) {
case MOUSE_COORDINATES_XDATE:
commit 3270021820ff6ac7a6d77b77fe69777129937994
Author: Ethan A Merritt <merritt@u.washington.edu>
Date: Wed Mar 12 19:56:13 2025 -0700
check valid range on time value before trying to format it
Absurdly large time values (number of seconds) cause failures in the
routines that populate a time structure and format the result.
The program does complain about an invalid time value but only
after the failures have already occurred.
E.g.
print strftime("%Y", 1.e14)
Now a check for fabs(time) > 1.e12 is the first thing in f_strftime().
Bug 2779
diff --git src/internal.c src/internal.c
index 53be8d409..2d8812e49 100644
--- src/internal.c
+++ src/internal.c
@@ -1905,30 +1905,37 @@ f_strftime(union argument *arg)
int_error(NO_CARET,
"First parameter to strftime must be a format string");
- /* Prepare format string.
- * Make sure the resulting string not empty by adding a space.
- * Otherwise, the return value of gstrftime doesn't give enough
- * information.
- */
- fmtlen = strlen(fmt.v.string_val) + 1;
- fmtstr = gp_alloc(fmtlen + 1, "f_strftime: fmt");
- strncpy(fmtstr, fmt.v.string_val, fmtlen);
- strncat(fmtstr, " ", fmtlen);
- buflen = 80 + 2*fmtlen;
- buffer = gp_alloc(buflen, "f_strftime: buffer");
-
- /* Get time_str */
- length = gstrftime(buffer, buflen, fmtstr, real(&val));
- if (length == 0 || length >= buflen)
- int_error(NO_CARET, "String produced by time format is too long");
-
- /* Remove trailing space */
- assert(buffer[length-1] == ' ');
- buffer[length-1] = NUL;
+ /* Range check */
+ if (!(fabs(real(&val)) < 1.e12)) {
+ int_warn(NO_CARET, "time value out of range");
+ buffer = strdup(" ");
+
+ } else {
+ /* Prepare format string.
+ * Make sure the resulting string not empty by adding a space.
+ * Otherwise, the return value of gstrftime doesn't give enough
+ * information.
+ */
+ fmtlen = strlen(fmt.v.string_val) + 1;
+ fmtstr = gp_alloc(fmtlen + 1, "f_strftime: fmt");
+ strncpy(fmtstr, fmt.v.string_val, fmtlen);
+ strncat(fmtstr, " ", fmtlen);
+ buflen = 80 + 2*fmtlen;
+ buffer = gp_alloc(buflen, "f_strftime: buffer");
+
+ /* Get time_str */
+ length = gstrftime(buffer, buflen, fmtstr, real(&val));
+ if (length == 0 || length >= buflen)
+ int_error(NO_CARET, "String produced by time format is too long");
+
+ /* Remove trailing space */
+ assert(buffer[length-1] == ' ');
+ buffer[length-1] = NUL;
+ free(fmtstr);
+ }
gpfree_string(&val);
gpfree_string(&fmt);
- free(fmtstr);
push(Gstring(&val, buffer));
free(buffer);

33
fix4bug1240329.patch Normal file
View File

@@ -0,0 +1,33 @@
commit b2343fd02c4fff94957f0151b73daa0a1f7fec49
Author: Ethan A Merritt <merritt@u.washington.edu>
Date: Tue Jan 14 21:54:14 2025 -0800
canvas: handle nonlinear x2 or y2 axis with an incomplete definition
Actually "handle" means "ignore".
But now it doesn't segfault trying to probe a non-existant link function.
Bug 2755
diff --git term/canvas.trm term/canvas.trm
index a919b09bd..bfe567832 100644
--- term/canvas.trm
+++ term/canvas.trm
@@ -646,7 +646,7 @@ CANVAS_text()
} else
fprintf(gpoutfile, "gnuplot.plot_axis_x2min = \"none\"\n");
if (axis_array[SECOND_X_AXIS].linked_to_primary
- && axis_array[FIRST_X_AXIS].link_udf->at) {
+ && axis_array[FIRST_X_AXIS].link_udf && axis_array[FIRST_X_AXIS].link_udf->at) {
fprintf(gpoutfile, "gnuplot.x2_mapping = function(x) { return x; };");
fprintf(gpoutfile, " // replace returned value with %s\n",
axis_array[FIRST_X_AXIS].link_udf->definition);
@@ -657,7 +657,7 @@ CANVAS_text()
} else
fprintf(gpoutfile, "gnuplot.plot_axis_y2min = \"none\"\n");
if (axis_array[SECOND_Y_AXIS].linked_to_primary
- && axis_array[FIRST_Y_AXIS].link_udf->at) {
+ && axis_array[FIRST_Y_AXIS].link_udf && axis_array[FIRST_Y_AXIS].link_udf->at) {
fprintf(gpoutfile, "gnuplot.y2_mapping = function(y) { return y; };");
fprintf(gpoutfile, " // replace returned value with %s\n",
axis_array[FIRST_Y_AXIS].link_udf->definition);

34
fix4bug1240330.patch Normal file
View File

@@ -0,0 +1,34 @@
commit af96c2c1b20383684b1ec2084dab7936f7053031
Author: Ethan A Merritt <merritt@u.washington.edu>
Date: Tue Jan 14 20:56:37 2025 -0800
x11: protect against double fclose() if two errors in a row
Bug 2753
diff --git term/x11.trm term/x11.trm
index 18ad4ad85..cbe01dd0e 100644
--- term/x11.trm
+++ term/x11.trm
@@ -854,8 +854,9 @@ X11_atexit()
/* dont wait(), since they might be -persist */
X11_ipc = NULL;
#ifdef PIPE_IPC
- close(ipc_back_fd);
- ipc_back_fd = -1;
+ if (ipc_back_fd >= 0)
+ close(ipc_back_fd);
+ ipc_back_fd = IPC_BACK_CLOSED;
#endif
}
}
@@ -1374,7 +1375,8 @@ X11_graphics()
#ifdef PIPE_IPC
/* if we know the outboard driver has stopped, restart it */
if (ipc_back_fd == IPC_BACK_CLOSED) {
- fclose(X11_ipc);
+ if (X11_ipc > 0)
+ fclose(X11_ipc);
X11_ipc = NULL;
X11_init();
}

57
fix4bug1241684.patch Normal file
View File

@@ -0,0 +1,57 @@
commit a5897feadc4be73b0ffd8458556c47117bd24d03
Author: Ethan A Merritt <merritt@u.washington.edu>
Date: Tue Mar 25 22:51:54 2025 -0700
hpgl: font name parsing overruns the string by one char
if no comma is present in the font name.
E.g.
set term pcl
set title "Title" font "sans" # no comma in font name
plot x
Bug 2781
diff --git term/hpgl.trm term/hpgl.trm
index 8e763d174..d432f7e39 100644
--- term/hpgl.trm
+++ term/hpgl.trm
@@ -1653,28 +1653,22 @@ TERM_PUBLIC int
HPGL2_set_font(const char *font)
{
char name[MAX_ID_LEN + 1];
- int sep;
- int int_size;
- double size;
+ char *sep;
+ double size = HPGL2_point_size;
if (font == NULL)
font = "";
- sep = strcspn(font, ",");
strncpy(name, font, sizeof(name)-1);
- if (sep < sizeof(name))
- name[sep] = NUL;
-
-/* determine font size, use default from options if invalid */
- int_size = 0;
- /* FIXME: use strtod instead */
- sscanf(&(font[sep + 1]), "%d", &int_size);
- if (int_size > 0)
- size = int_size;
- else
- size = HPGL2_point_size;
-
+ /* determine font size, use default from options if invalid */
+ sep = strchr(font, ',');
+ if (sep) {
+ double req_size = strtod(sep+1, NULL);
+ if (req_size > 0)
+ size = req_size;
+ *sep = '\0';
+ }
return HPGL2_set_font_size(name, size);
}

18
gnuplot-doc.changes
View File

@@ -1,3 +1,21 @@
-------------------------------------------------------------------
Mon May 12 12:14:33 UTC 2025 - Dr. Werner Fink <werner@suse.de>
- Add patches
* fix4bug1240325.patch - boo#1240325: CVE-2025-31176: segmentation fault on plot3d_points
* fix4bug1240326.patch - boo#1240326: CVE-2025-31177: heap-buffer overflow on utf8_copy_one
* fix4bug1240327.patch - boo#1240327: CVE-2025-31178: segmentation fault on GetAnnotateString
* fix4bug1240328.patch - boo#1240328: CVE-2025-31179: segmentation fault on xstrftime
* fix4bug1240329.patch - boo#1240329: CVE-2025-31180: segmentation fault on CANVAS_text
* fix4bug1240330.patch - boo#1240330: CVE-2025-31181: segmentation fault on X11_graphics
* fix4bug1241684.patch - boo#1241684: CVE-2025-3359: segmentation fault via IO_str_init_static_internal function
- Add a check section and we use a dump terminal
-------------------------------------------------------------------
Tue Feb 18 13:09:58 UTC 2025 - Dr. Werner Fink <werner@suse.de>
- Use openspecfun only for opensuse builds
-------------------------------------------------------------------
Tue Jan 7 09:57:13 UTC 2025 - Dr. Werner Fink <werner@suse.de>

13
gnuplot.changes
View File

@@ -1,3 +1,16 @@
-------------------------------------------------------------------
Mon May 12 12:14:33 UTC 2025 - Dr. Werner Fink <werner@suse.de>
- Add patches
* fix4bug1240325.patch - boo#1240325: CVE-2025-31176: segmentation fault on plot3d_points
* fix4bug1240326.patch - boo#1240326: CVE-2025-31177: heap-buffer overflow on utf8_copy_one
* fix4bug1240327.patch - boo#1240327: CVE-2025-31178: segmentation fault on GetAnnotateString
* fix4bug1240328.patch - boo#1240328: CVE-2025-31179: segmentation fault on xstrftime
* fix4bug1240329.patch - boo#1240329: CVE-2025-31180: segmentation fault on CANVAS_text
* fix4bug1240330.patch - boo#1240330: CVE-2025-31181: segmentation fault on X11_graphics
* fix4bug1241684.patch - boo#1241684: CVE-2025-3359: segmentation fault via IO_str_init_static_internal function
- Add a check section and we use a dump terminal
-------------------------------------------------------------------
Tue Feb 18 13:09:58 UTC 2025 - Dr. Werner Fink <werner@suse.de>

19
gnuplot.spec
View File

@@ -115,6 +115,13 @@ Patch4: gnuplot-4.6.0-demo.diff
Patch5: gnuplot-wx3.diff
Patch6: gnuplot-QtCore-PIC.dif
Patch7: gnuplot-PIE.patch
Patch25: fix4bug1240325.patch
Patch26: fix4bug1240326.patch
Patch27: fix4bug1240327.patch
Patch28: fix4bug1240328.patch
Patch29: fix4bug1240329.patch
Patch30: fix4bug1240330.patch
Patch84: fix4bug1241684.patch
%define _x11lib %{_libdir}
%define _x11data %{_datadir}/X11
%define _x11inc %{_includedir}/X11
@@ -150,6 +157,13 @@ cp %{_sourcedir}/picins.sty docs
%patch -P5 -p1 -b .w3x
%patch -P6 -p0 -b .pic
%patch -P7 -p1 -b .pie
%patch -P25 -p0 -b .p25
%patch -P26 -p0 -b .p26
%patch -P27 -p0 -b .p27
%patch -P28 -p0 -b .p28
%patch -P29 -p0 -b .p29
%patch -P30 -p0 -b .p30
%patch -P84 -p0 -b .p84
%build
autoreconf -fi
@@ -275,6 +289,11 @@ autoreconf -fi
%fdupes %{buildroot}/%{_docdir}
%endif
%if "%{flavor}" == ""
%check
GNUTERM=dumb make check
%endif
%if "%{flavor}" == "doc"
%post
%install_info --info-dir=.%{_infodir} .%{_infodir}/%{sname}.info.gz