Various security fixes

OBS-URL: https://build.opensuse.org/package/show/Publishing/transfig?expand=0&rev=62
This commit is contained in:
Dr. Werner Fink 2020-02-11 11:42:48 +00:00 committed by Git OBS Bridge
parent fab0225ae6
commit 55355626e5
13 changed files with 795 additions and 4 deletions

79
00cded.patch Normal file
View File

@ -0,0 +1,79 @@
From 00cdedac7a0b029846dee891769a1e77df83a01b Mon Sep 17 00:00:00 2001
From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
Date: Sat, 25 Jan 2020 15:04:59 +0100
Subject: [PATCH] Accept -1 as default TeX font, fixes ticket #81
The default for PostScript fonts is -1, for TeX fonts 0. Accepting -1 for TeX
fonts lead to out-of-bound read. Now, -1 for TeX fonts is converted to 0.
---
fig2dev/dev/genpict2e.c | 9 +++++----
fig2dev/dev/gentikz.c | 9 +++++----
fig2dev/tests/read.at | 10 ++++++++++
3 files changed, 20 insertions(+), 8 deletions(-)
diff --git fig2dev/dev/genpict2e.c fig2dev/dev/genpict2e.c
index 6ab442e..dd6fd95 100644
--- fig2dev/dev/genpict2e.c
+++ fig2dev/dev/genpict2e.c
@@ -2223,11 +2223,12 @@ put_font(F_text *t)
}
if (psfont_text(t))
- fprintf(tfp, "\\usefont%s",
- texpsfonts[t->font <= MAX_PSFONT ? t->font + 1 : 0]);
+ fprintf(tfp, "\\usefont%s", texpsfonts[t->font <= MAX_PSFONT ?
+ t->font + 1 : 0]);
else
- fprintf(tfp, "\\normalfont%s ",
- texfonts[t->font <= MAX_FONT ? t->font : MAX_FONT - 1]);
+ /* Default psfont is -1, default texfont 0, also accept -1. */
+ fprintf(tfp, "\\normalfont%s ", texfonts[t->font <= MAX_FONT ?
+ (t->font >= 0 ? t->font : 0) : MAX_FONT - 1]);
}
void
diff --git fig2dev/dev/gentikz.c fig2dev/dev/gentikz.c
index 797ca1c..b374e10 100644
--- fig2dev/dev/gentikz.c
+++ fig2dev/dev/gentikz.c
@@ -1772,11 +1772,12 @@ put_font(F_text *t)
}
if (psfont_text(t))
- fprintf(tfp, "\\usefont%s",
- texpsfonts[t->font <= MAX_PSFONT ? t->font + 1 : 0]);
+ fprintf(tfp, "\\usefont%s", texpsfonts[t->font <= MAX_PSFONT ?
+ t->font + 1 : 0]);
else
- fprintf(tfp, "\\normalfont%s ",
- texfonts[t->font <= MAX_FONT ? t->font : MAX_FONT - 1]);
+ /* Default psfont is -1, default texfont 0, also accept -1. */
+ fprintf(tfp, "\\normalfont%s ", texfonts[t->font <= MAX_FONT ?
+ (t->font >= 0 ? t->font : 0) : MAX_FONT - 1]);
}
/*
diff --git fig2dev/tests/read.at fig2dev/tests/read.at
index 9b34bfb..331afb5 100644
--- fig2dev/tests/read.at
+++ fig2dev/tests/read.at
@@ -406,6 +406,16 @@ EOF
])
AT_CLEANUP
+AT_SETUP([allow tex font -1, ticket #81])
+AT_DATA([text.fig], [FIG_FILE_TOP
+4 0 0 50 -1 -1 12 0.0 0 150 405 0 0 Text\001
+])
+AT_CHECK([fig2dev -L pict2e text.fig
+], 0, ignore)
+AT_CHECK([fig2dev -L tikz text.fig
+], 0, ignore)
+AT_CLEANUP
+
AT_BANNER([Dynamically allocate picture file name.])
AT_SETUP([prepend fig file path to picture file name])
--
2.16.4

63
2f8d1a.patch Normal file
View File

@ -0,0 +1,63 @@
From 2f8d1ae9763dcdc99b88a2b14849fe37174bcd69 Mon Sep 17 00:00:00 2001
From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
Date: Wed, 29 Jan 2020 22:53:32 +0100
Subject: [PATCH] Reject out-of-range pattern, ticket #63
---
fig2dev/object.h | 2 +-
fig2dev/tests/read.at | 19 +++++++++++++++++--
2 files changed, 18 insertions(+), 3 deletions(-)
diff --git fig2dev/object.h fig2dev/object.h
index 8464010..6830b13 100644
--- fig2dev/object.h
+++ fig2dev/object.h
@@ -61,7 +61,7 @@ typedef struct f_comment {
o->style < SOLID_LINE || o->style > DASH_3_DOTS_LINE || \
o->thickness < 0 || o->depth < 0 || o->depth > 999 || \
o->fill_style < UNFILLED || \
- o->fill_style > NUMSHADES + NUMTINTS + NUMPATTERNS || \
+ o->fill_style >= NUMSHADES + NUMTINTS + NUMPATTERNS || \
o->style_val < 0.0
typedef struct f_ellipse {
|diff --git fig2dev/tests/read.at fig2dev/tests/read.at
|index 2d066e4..bf117ee 100644
|--- fig2dev/tests/read.at
|+++ fig2dev/tests/read.at
|@@ -421,15 +421,30 @@ AT_CLEANUP
|
| AT_SETUP([reject ASCII NUL ('\0') in input, ticket #80])
| AT_KEYWORDS([read.c svg])
|-AT_CHECK([fig2dev -L svg $srcdir/data/text_w_ascii0.fig], 1, ignore, ignore)
|+AT_CHECK([fig2dev -L svg $srcdir/data/text_w_ascii0.fig],
|+1, ignore, [ASCII NUL ('\0') in line 11.
|+])
| AT_CLEANUP
|
| AT_SETUP([reject out of range text angle, ticket #76])
|+AT_KEYWORDS([read.c pstricks])
| AT_CHECK([fig2dev -L pstricks <<EOF
| FIG_FILE_TOP
| 4 0 0 50 -1 -1 12 9e26 0 150 405 0 0 Very slanted text\001
| EOF
|-], 1, ignore, ignore)
|+], 1, ignore, [Invalid text object at line 10.
|+])
|+AT_CLEANUP
|+
|+AT_SETUP([reject out-of-range pattern fills, ticket #63])
|+AT_KEYWORDS([read.c cgm])
|+AT_CHECK([fig2dev -L cgm <<EOF
|+FIG_FILE_TOP
|+2 3 0 0 0 7 50 -1 63 0.000 0 0 -1 0 0 4
|+ 0 0 1200 0 600 800 0 0
|+EOF
|+], 1, ignore, [Invalid line object at line 10.
|+])
| AT_CLEANUP
|
| AT_BANNER([Dynamically allocate picture file name.])
--
2.16.4

75
3165d8.patch Normal file
View File

@ -0,0 +1,75 @@
From 3165d86c31c6323913239fdc6460be6ababd3826 Mon Sep 17 00:00:00 2001
From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
Date: Tue, 4 Feb 2020 20:58:27 +0100
Subject: [PATCH] Allow arrows with zero length on arcs, ticket #74
---
fig2dev/bound.c | 9 +++++----
fig2dev/tests/output.at | 10 +++++++++-
2 files changed, 14 insertions(+), 5 deletions(-)
diff --git fig2dev/bound.c fig2dev/bound.c
index ce7f4d1..d305ab9 100644
--- fig2dev/bound.c
+++ fig2dev/bound.c
@@ -3,7 +3,7 @@
* Copyright (c) 1985 Supoj Sutanthavibul
* Copyright (c) 1991 Micah Beck
* Parts Copyright (c) 1989-2015 by Brian V. Smith
- * Parts Copyright (c) 2015-2019 Thomas Loimer
+ * Parts Copyright (c) 2015-2020 Thomas Loimer
*
* Any party obtaining a copy of these files is granted, free of charge, a
* full and unrestricted irrevocable, world-wide, paid up, royalty-free,
@@ -1095,9 +1095,8 @@ compute_arcarrow_angle(double x1, double y1, double x2, double y2,
r=sqrt(dx*dx+dy*dy);
h = (double) arrow->ht;
/* lines are made a little thinner in set_linewidth */
- thick = (arrow->thickness <= THICK_SCALE) ?
- 0.5* arrow->thickness :
- arrow->thickness - THICK_SCALE;
+ thick = arrow->thickness <= THICK_SCALE ?
+ 0.5 * arrow->thickness : arrow->thickness - THICK_SCALE;
/* lpt is the amount the arrowhead extends beyond the end of the line */
lpt = thick/2.0/(arrow->wid/h/2.0);
/* add this to the length */
@@ -1107,6 +1106,8 @@ compute_arcarrow_angle(double x1, double y1, double x2, double y2,
if (h > 2.0*r) {
arc_tangent_int(x1,y1,x2,y2,direction,x,y);
return;
+ } else if (h < thick) {
+ h = thick;
}
beta=atan2(dy,dx);
diff --git fig2dev/tests/output.at fig2dev/tests/output.at
index fd06727..e0d088c 100644
--- fig2dev/tests/output.at
+++ fig2dev/tests/output.at
@@ -2,7 +2,7 @@ dnl Fig2dev: Translate Fig code to various Devices
dnl Copyright (c) 1991 by Micah Beck
dnl Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
dnl Parts Copyright (c) 1989-2015 by Brian V. Smith
-dnl Parts Copyright (c) 2015-2019 by Thomas Loimer
+dnl Parts Copyright (c) 2015-2020 by Thomas Loimer
dnl
dnl Any party obtaining a copy of these files is granted, free of charge, a
dnl full and unrestricted irrevocable, world-wide, paid up, royalty-free,
@@ -175,6 +175,14 @@ AT_CHECK([fig2dev -L pict2e -P big1.fig big1.tex && \
], 0, ignore)
AT_CLEANUP
+AT_SETUP([accept arc arrows with zero height, ticket #74])
+AT_KEYWORDS(pict2e)
+AT_CHECK([fig2dev -L pict2e <<EOF
+FIG_FILE_TOP
+5 1 0 1 0 7 50 -1 -1 0.0 0 0 1 0 0.0 0.0 600 0 0 600 -600 0
+ 1 1 1.0 60.0 0.0
+EOF], 0, ignore)
+AT_CLEANUP
AT_BANNER([Test svg output language.])
AT_SETUP([compare patterns with template])
--
2.16.4

68
421afa.patch Normal file
View File

@ -0,0 +1,68 @@
From 421afa17d8cb8dafcaf3e6044a70790fa4fe307b Mon Sep 17 00:00:00 2001
From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
Date: Mon, 27 Jan 2020 23:01:11 +0100
Subject: [PATCH] Accept -1 TeX font in more places, fixes #71, #75
Continue the work started in commit [00cded]. Fix the fundamental issue of
tickets #71 and #75, which was hidden by commit [d70e4b].
---
fig2dev/dev/texfonts.h | 14 +++++++++-----
fig2dev/tests/read.at | 4 +++-
2 files changed, 12 insertions(+), 6 deletions(-)
diff --git fig2dev/dev/texfonts.h fig2dev/dev/texfonts.h
index 89097f2..e5254b6 100644
--- fig2dev/dev/texfonts.h
+++ fig2dev/dev/texfonts.h
@@ -35,17 +35,21 @@ extern char texfontsizes[];
#define MAXFONTSIZE 42
#ifdef NFSS
-#define TEXFAMILY(F) (texfontfamily[((F) <= MAX_FONT) ? (F) : (MAX_FONT-1)])
-#define TEXSERIES(F) (texfontseries[((F) <= MAX_FONT) ? (F) : (MAX_FONT-1)])
-#define TEXSHAPE(F) (texfontshape[((F) <= MAX_FONT) ? (F) : (MAX_FONT-1)])
+#define TEXFAMILY(F) texfontfamily[(F) <= MAX_FONT ? ((F) >= 0 ? (F) : 0) \
+ : MAX_FONT-1]
+#define TEXSERIES(F) texfontseries[(F) <= MAX_FONT ? ((F) >= 0 ? (F) : 0) \
+ : MAX_FONT-1]
+#define TEXSHAPE(F) texfontshape[(F) <= MAX_FONT ? ((F) >= 0 ? (F) : 0) \
+ : MAX_FONT-1]
#endif
-#define TEXFONT(F) (texfontnames[((F) <= MAX_FONT) ? (F) : (MAX_FONT-1)])
+#define TEXFONT(F) texfontnames[(F) <= MAX_FONT ? ((F) >= 0 ? (F) : 0) \
+ : MAX_FONT-1]
/*
#define TEXFONTSIZE(S) (texfontsizes[((S) <= MAXFONTSIZE) ? (int)(round(S))\
: (MAXFONTSIZE-1)])
*/
-#define TEXFONTSIZE(S) (((S) <= MAXFONTSIZE) ? texfontsizes[(int)(round(S))] : (S))
+#define TEXFONTSIZE(S) ((S) <= MAXFONTSIZE ? texfontsizes[(int)round(S)] : (S))
#define TEXFONTMAG(T) TEXFONTSIZE(T->size*(rigid_text(T) ? 1.0 : fontmag))
void setfigfont(F_text *text); /* genepic.c */
|diff --git fig2dev/tests/read.at fig2dev/tests/read.at
|index 60982b0..726e6da 100644
|--- fig2dev/tests/read.at
|+++ fig2dev/tests/read.at
|@@ -406,7 +406,7 @@ EOF
| ])
| AT_CLEANUP
|
|-AT_SETUP([allow tex font -1, ticket #81])
|+AT_SETUP([allow tex font -1, tickets #71, #75, #81])
| AT_KEYWORDS([pict2e tikz])
| AT_DATA([text.fig], [FIG_FILE_TOP
| 4 0 0 50 -1 -1 12 0.0 0 150 405 0 0 Text\001
|@@ -415,6 +415,8 @@ AT_CHECK([fig2dev -L pict2e text.fig
| ], 0, ignore)
| AT_CHECK([fig2dev -L tikz text.fig
| ], 0, ignore)
|+AT_CHECK([fig2dev -L mp text.fig
|+], 0, ignore)
| AT_CLEANUP
|
| AT_SETUP([reject ASCII NUL ('\0') in input, ticket #80])
--
2.16.4

114
4d4e1f.patch Normal file
View File

@ -0,0 +1,114 @@
From 4d4e1fdac467c386cba8706aa0067d5ab8da02d7 Mon Sep 17 00:00:00 2001
From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
Date: Mon, 3 Feb 2020 23:39:32 +0100
Subject: [PATCH] Allow DEFAULT color in cgm and ge output, #72, #73
Also, fix a memory leak in gencgm.c.
---
fig2dev/dev/gencgm.c | 8 +++++++-
fig2dev/dev/genge.c | 7 ++++---
fig2dev/tests/data/line.fig | 2 +-
fig2dev/tests/output.at | 12 ++++++++++++
4 files changed, 24 insertions(+), 5 deletions(-)
diff --git fig2dev/dev/gencgm.c fig2dev/dev/gencgm.c
index 0f472a8..e12940f 100644
--- fig2dev/dev/gencgm.c
+++ fig2dev/dev/gencgm.c
@@ -151,9 +151,11 @@ gencgm_start(F_compound *objects)
{
int i;
char *p, *figname;
+ char *figname_buf = NULL;
if (from) {
- figname = strdup(from);
+ figname_buf = strdup(from);
+ figname = figname_buf;
p = strrchr(figname, '/');
if (p)
figname = p+1; /* remove path from name for comment in file */
@@ -255,6 +257,8 @@ gencgm_start(F_compound *objects)
print_comments("% ",objects->comments, " %");
fprintf(tfp,"%% %%\n");
}
+ if (figname_buf)
+ free(figname_buf);
}
int
@@ -552,6 +556,8 @@ hatchindex(index)
static void
getrgb(int color, int *r, int *g, int *b)
{
+ if (color < 0) /* DEFAULT color is black */
+ color = 0;
if (color < NUM_STD_COLS) {
*r = stdcols[color].r * 255.;
*g = stdcols[color].g * 255.;
diff --git fig2dev/dev/genge.c fig2dev/dev/genge.c
index b171f39..5697bb6 100644
--- fig2dev/dev/genge.c
+++ fig2dev/dev/genge.c
@@ -56,7 +56,8 @@ static void genge_ctl_spline(F_spline *s);
/* color mapping */
/* xfig ge */
-static int GE_COLORS[] = { 1, /* black black */
+static int GE_COLORS[] = { 1, /* DEFAULT == black */
+ 1, /* black black */
8, /* blue blue */
7, /* green green */
6, /* cyan cyan */
@@ -438,7 +439,7 @@ back_arrow(F_line *l)
static void
set_color(int col)
{
- fprintf(tfp,"c%02d ",GE_COLORS[col]);
+ fprintf(tfp,"c%02d ",GE_COLORS[col + 1]);
}
/* set fill if there is a fill style */
@@ -447,7 +448,7 @@ static void
set_fill(int style, int color)
{
if (style != UNFILLED)
- fprintf(tfp,"C%02d ",GE_COLORS[color]);
+ fprintf(tfp,"C%02d ",GE_COLORS[color + 1]);
}
/*
diff --git fig2dev/tests/data/line.fig fig2dev/tests/data/line.fig
index e033b12..bfc4976 100644
--- fig2dev/tests/data/line.fig
+++ fig2dev/tests/data/line.fig
@@ -7,5 +7,5 @@ A9
Single
-2
1200 2
-2 1 0 3 0 7 50 -1 -1 0.0 0 0 -1 0 0 3
+2 1 0 3 -1 7 50 -1 -1 0.0 0 0 -1 0 0 3
50 50 500 50 500 200
diff --git fig2dev/tests/output.at fig2dev/tests/output.at
index 9a1bc45..fd06727 100644
--- fig2dev/tests/output.at
+++ fig2dev/tests/output.at
@@ -261,3 +261,15 @@ AT_CHECK([fig2dev -L tikz -P big1.fig big1.tex && \
latex -halt-on-error big1.tex && latex -halt-on-error big2.tex
], 0, ignore)
AT_CLEANUP
+
+
+AT_BANNER([Test other output languages.])
+
+AT_SETUP([allow default color in ge, cgm output, #72, #73])
+AT_KEYWORDS(cgm ge)
+AT_CHECK([fig2dev -L cgm $srcdir/data/line.fig
+], 0, ignore)
+AT_CHECK([fig2dev -L ge $srcdir/data/line.fig
+], 0, ignore)
+AT_CLEANUP
+
--
2.16.4

38
639c36.patch Normal file
View File

@ -0,0 +1,38 @@
From 639c36010a120e97a6e82e7cd57cbf9dbf4b64f1 Mon Sep 17 00:00:00 2001
From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
Date: Tue, 4 Feb 2020 21:52:25 +0100
Subject: [PATCH] Fix pstricks fill with non-solid default color, #77
In the pstricks output, filling an area with the shaded or tinted default color
is now equivalent to filling with shaded or tinted black color.
---
fig2dev/dev/genpstricks.c | 3 ++-
fig2dev/tests/output.at | 1 -
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git fig2dev/dev/genpstricks.c fig2dev/dev/genpstricks.c
index 07c4d09..5acc1f6 100644
--- fig2dev/dev/genpstricks.c
+++ fig2dev/dev/genpstricks.c
@@ -1856,7 +1856,8 @@ format_options(char *options, char *prefix, char *postfix, char *sqrb_init,
else if (fill_style <= 40)
/* shade or tint fill */
sprintf(tmps, "fillstyle=solid,fillcolor=%s",
- shade_or_tint_name_after_declare_color(tmpc, fill_style, fill_color));
+ shade_or_tint_name_after_declare_color(tmpc, fill_style,
+ fill_color == DEFAULT ? CT_BLACK : fill_color));
else {
char *type = 0, *ps;
int angle = 0;
diff --git fig2dev/tests/output.at fig2dev/tests/output.at
index e0d088c..e1e5ca4 100644
--- fig2dev/tests/output.at
+++ fig2dev/tests/output.at
@@ -280,4 +280,3 @@ AT_CHECK([fig2dev -L cgm $srcdir/data/line.fig
AT_CHECK([fig2dev -L ge $srcdir/data/line.fig
], 0, ignore)
AT_CLEANUP
-
--
2.16.4

84
acccc8.patch Normal file
View File

@ -0,0 +1,84 @@
From acccc89c20206a5db1f463438ba444e35bcb400e Mon Sep 17 00:00:00 2001
From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
Date: Tue, 28 Jan 2020 22:56:40 +0100
Subject: [PATCH] Reject text or ellipse angles beyond -2pi to 2pi, #76
In fact, generously extend the allowed range to -7 to 7.
Sane applications, e.g., xfig, certainly keep the angles within one revolution.
---
CHANGES | 6 +++---
fig2dev/object.h | 7 ++++---
fig2dev/tests/read.at | 8 ++++++++
3 files changed, 15 insertions(+), 6 deletions(-)
|diff --git CHANGES CHANGES
|index 4834e50..52daead 100644
|--- CHANGES
|+++ CHANGES
|@@ -6,9 +6,9 @@ Patchlevel Xx (Xxx 20xx)
|
| BUGS FIXED:
| Ticket numbers refer to https://sourceforge.net/p/mcj/tickets/#.
|- o Fix ticket #81.
|- o Do not allow ASCII NUL anywhere in input.
|- Fixes tickets #65, #68, #71, #73, #75, #80.
|+ o Accept text and ellipse angles only within -2*pi to 2*pi. Fixes #76.
|+ o Allow -1 as default TeX font, not only 0. Fixes #71, #75, #81.
|+ o Do not allow ASCII NUL anywhere in input. Fixes #65, #68, #73, #80.
| o Use getline() to improve input scanning.
| Fixes tickets #58, #59, #61, #62, #67, #78, #79.
| o Correctly scan embedded pdfs for /MediaBox value.
diff --git fig2dev/object.h fig2dev/object.h
index fe56bbb..8464010 100644
--- fig2dev/object.h
+++ fig2dev/object.h
@@ -3,7 +3,7 @@
* Copyright (c) 1991 by Micah Beck
* Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
* Parts Copyright (c) 1989-2015 by Brian V. Smith
- * Parts Copyright (c) 2015-2019 by Thomas Loimer
+ * Parts Copyright (c) 2015-2020 by Thomas Loimer
*
* Any party obtaining a copy of these files is granted, free of charge, a
* full and unrestricted irrevocable, world-wide, paid up, royalty-free,
@@ -94,7 +94,8 @@ typedef struct f_ellipse {
#define INVALID_ELLIPSE(e) \
e->type < T_ELLIPSE_BY_RAD || e->type > T_CIRCLE_BY_DIA || \
COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) || \
- e->radiuses.x == 0 || e->radiuses.y == 0
+ e->radiuses.x == 0 || e->radiuses.y == 0 || \
+ e->angle < -7. || e->angle > 7.
typedef struct f_arc {
int type;
@@ -243,7 +244,7 @@ typedef struct f_text {
t->type < T_LEFT_JUSTIFIED || t->type > T_RIGHT_JUSTIFIED || \
t->font < DEFAULT || t->font > MAX_PSFONT || \
t->flags < DEFAULT || t->flags >= 2 * HIDDEN_TEXT || \
- t->height < 0 || t->length < 0
+ t->height < 0 || t->length < 0 || t->angle < -7. || t->angle > 7.
typedef struct f_control {
double lx, ly, rx, ry; /* used by older versions*/
|diff --git fig2dev/tests/read.at fig2dev/tests/read.at
|index 726e6da..2d066e4 100644
|--- fig2dev/tests/read.at
|+++ fig2dev/tests/read.at
|@@ -424,6 +424,14 @@ AT_KEYWORDS([read.c svg])
| AT_CHECK([fig2dev -L svg $srcdir/data/text_w_ascii0.fig], 1, ignore, ignore)
| AT_CLEANUP
|
|+AT_SETUP([reject out of range text angle, ticket #76])
|+AT_CHECK([fig2dev -L pstricks <<EOF
|+FIG_FILE_TOP
|+4 0 0 50 -1 -1 12 9e26 0 150 405 0 0 Very slanted text\001
|+EOF
|+], 1, ignore, ignore)
|+AT_CLEANUP
|+
| AT_BANNER([Dynamically allocate picture file name.])
|
| AT_SETUP([prepend fig file path to picture file name])
--
2.16.4

40
d6a10d.patch Normal file
View File

@ -0,0 +1,40 @@
From d6a10d168469ed9c4d681ebdc577ea0f65de1501 Mon Sep 17 00:00:00 2001
From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
Date: Sun, 26 Jan 2020 22:13:26 +0100
Subject: [PATCH] Fix ticket #60. The previous commit fixed also #65, #68, #71,
#73, #75
---
CHANGES | 3 ++-
fig2dev/read.c | 1 +
2 files changed, 3 insertions(+), 1 deletion(-)
|diff --git CHANGES CHANGES
|index f1bbbc3..4834e50 100644
|--- CHANGES
|+++ CHANGES
|@@ -7,7 +7,8 @@ Patchlevel Xx (Xxx 20xx)
| BUGS FIXED:
| Ticket numbers refer to https://sourceforge.net/p/mcj/tickets/#.
| o Fix ticket #81.
|- o Do not allow ASCII NUL anywhere in input. Fixes ticket #80.
|+ o Do not allow ASCII NUL anywhere in input.
|+ Fixes tickets #65, #68, #71, #73, #75, #80.
| o Use getline() to improve input scanning.
| Fixes tickets #58, #59, #61, #62, #67, #78, #79.
| o Correctly scan embedded pdfs for /MediaBox value.
diff --git fig2dev/read.c fig2dev/read.c
index 86cee71..797030c 100644
--- fig2dev/read.c
+++ fig2dev/read.c
@@ -1322,6 +1322,7 @@ read_splineobject(FILE *fp, char **restrict line, size_t *line_len,
}
q->x = x;
q->y = y;
+ q->next = NULL;
p->next = q;
p = q;
++c;
--
2.16.4

129
d70e4b.patch Normal file
View File

@ -0,0 +1,129 @@
From d70e4ba6308046f71cb51f67db8412155af52411 Mon Sep 17 00:00:00 2001
From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
Date: Sun, 26 Jan 2020 13:16:52 +0100
Subject: [PATCH] Reject ASCII NUL anywhere in the input
The input is read in line by line, stored in a buffer and processed further
with sscanf(). Embedded NUL characters ('\0') would already disturb sscanf(),
and nowhere does the code expect NUL characters. Therefore, detect NUL while
reading the input, and exit with an error message when NUL is found anywere.
Fixes ticket #80.
---
CHANGES | 4 ++++
fig2dev/read.c | 21 +++++++++++++++++++--
fig2dev/tests/data/text_w_ascii0.fig | Bin 0 -> 321 bytes
fig2dev/tests/read.at | 6 ++++++
4 files changed, 29 insertions(+), 2 deletions(-)
create mode 100644 fig2dev/tests/data/text_w_ascii0.fig
|diff --git CHANGES CHANGES
|index 4a414fa..f1bbbc3 100644
|--- CHANGES
|+++ CHANGES
|@@ -6,6 +6,10 @@ Patchlevel Xx (Xxx 20xx)
|
| BUGS FIXED:
| Ticket numbers refer to https://sourceforge.net/p/mcj/tickets/#.
|+ o Fix ticket #81.
|+ o Do not allow ASCII NUL anywhere in input. Fixes ticket #80.
|+ o Use getline() to improve input scanning.
|+ Fixes tickets #58, #59, #61, #62, #67, #78, #79.
| o Correctly scan embedded pdfs for /MediaBox value.
| o Convert polygons having too few points to polylines. Ticket #56.
| o Reject huge arrow types causing integer overflow. Ticket #57.
diff --git fig2dev/read.c fig2dev/read.c
index e85ee10..86cee71 100644
--- fig2dev/read.c
+++ fig2dev/read.c
@@ -178,8 +178,14 @@ read_objects(FILE *fp, F_compound *obj)
put_msg("Could not read input file.");
return -1;
}
- /* seek to the end of the first line */
- if (strchr(buf, '\n') == NULL) {
+
+ /* check for embedded '\0' */
+ if (strlen(buf) < sizeof buf - 1 && buf[strlen(buf) - 1] != '\n') {
+ put_msg("ASCII NUL ('\\0') character within the first line.");
+ exit(EXIT_FAILURE);
+ /* seek to the end of the first line
+ (the only place, where '\0's are tolerated) */
+ } else if (buf[strlen(buf) - 1] != '\n') {
int c;
do
c = fgetc(fp);
@@ -1398,6 +1404,15 @@ read_splineobject(FILE *fp, char **restrict line, size_t *line_len,
return s;
}
+static void
+exit_on_ascii_NUL(const char *restrict line, size_t chars, int line_no)
+{
+ if (strlen(line) < (size_t)chars) {
+ put_msg("ASCII NUL ('\\0') in line %d.", line_no);
+ exit(EXIT_FAILURE);
+ }
+}
+
static char *
find_end(const char *str, int v30flag)
{
@@ -1469,6 +1484,7 @@ read_textobject(FILE *fp, char **restrict line, size_t *line_len, int *line_no)
while ((chars = getline(line, line_len, fp)) != -1) {
++(*line_no);
+ exit_on_ascii_NUL(*line, chars, *line_no);
end = find_end(*line, v30_flag);
if (end) {
*end = '\0';
@@ -1640,6 +1656,7 @@ get_line(FILE *fp, char **restrict line, size_t *line_len, int *line_no)
if (**line == '\n' || (**line == '\r' &&
chars == 2 && (*line)[1] == '\n'))
continue;
+ exit_on_ascii_NUL(*line, chars, *line_no);
/* remove newline and possibly a carriage return */
if ((*line)[chars-1] == '\n') {
chars -= (*line)[chars - 2] == '\r' ? 2 : 1;
|diff --git fig2dev/tests/data/text_w_ascii0.fig fig2dev/tests/data/text_w_ascii0.fig
|new file mode 100644
|index 0000000000000000000000000000000000000000..fb15b306b26a42446b809d0caf77efcfc73c588a
|GIT binary patch
|literal 321
|zcmV-H0lxktMoC8?GcGa;Okr+hb7Ns}WeP)OZggdG3Q2BbXk~K>Ol5R*WpWBJFfcAK
|zFbY#?Zf9&|3N11UF)}bPATkOxATS^>ATl5@ATl)|F*Y+GGch1HATS^xFd!{4ATb~?
|zATkOdFeV^0ATcs9AT=O)Tp%DYATS^>US3{aUP@kGUS3`R!hplS!@pi$US3{aUS3{a
|zUS3{aUS3{aUS3{aG&LYaTrf#7d0a3sF$yCzATS^>AT=-`EioW1F(5HAATTa4ATS^?
|zH83DFFf|}BATS_7ZXjWEV`*t1dS!BNASYa0Fee~rWpZU8Ej|D)E-qniWFT{IZDk;B
|zZ*pZIbY*ySAZBlDY;SjIZf7hYcWHEJAYmY5WpZ?3X>K54ZEtmMbRchLAZ=-GX>E0F
|TAY*7@a$#e1WpZ;|FfcI+7J*tc
|
|literal 0
|KcmV+b0RR6000031
|
|diff --git fig2dev/tests/read.at fig2dev/tests/read.at
|index 331afb5..60982b0 100644
|--- fig2dev/tests/read.at
|+++ fig2dev/tests/read.at
|@@ -407,6 +407,7 @@ EOF
| AT_CLEANUP
|
| AT_SETUP([allow tex font -1, ticket #81])
|+AT_KEYWORDS([pict2e tikz])
| AT_DATA([text.fig], [FIG_FILE_TOP
| 4 0 0 50 -1 -1 12 0.0 0 150 405 0 0 Text\001
| ])
|@@ -416,6 +417,11 @@ AT_CHECK([fig2dev -L tikz text.fig
| ], 0, ignore)
| AT_CLEANUP
|
|+AT_SETUP([reject ASCII NUL ('\0') in input, ticket #80])
|+AT_KEYWORDS([read.c svg])
|+AT_CHECK([fig2dev -L svg $srcdir/data/text_w_ascii0.fig], 1, ignore, ignore)
|+AT_CLEANUP
|+
| AT_BANNER([Dynamically allocate picture file name.])
|
| AT_SETUP([prepend fig file path to picture file name])
--
2.16.4

33
e3cee2.patch Normal file
View File

@ -0,0 +1,33 @@
From e3cee2576438f47a3b8678c6960472e625f8f7d7 Mon Sep 17 00:00:00 2001
From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
Date: Mon, 27 Jan 2020 22:14:29 +0100
Subject: [PATCH] Keep coordinates of spline controls within sane range
This fixes the fundamental issue of ticket #65.
---
fig2dev/read.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git fig2dev/read.c fig2dev/read.c
index 797030c..255586a 100644
--- fig2dev/read.c
+++ fig2dev/read.c
@@ -1393,6 +1393,15 @@ read_splineobject(FILE *fp, char **restrict line, size_t *line_len,
free_splinestorage(s);
return NULL;
}
+ if (lx < INT_MIN || lx > INT_MAX || ly < INT_MIN || ly > INT_MAX ||
+ rx < INT_MIN || rx > INT_MAX || ry < INT_MIN || ry > INT_MAX) {
+ /* do not care to clean up, we exit anyway
+ cp->next = NULL;
+ free_splinestorage(s); */
+ put_msg("Spline control points out of range at line %d.",
+ *line_no);
+ exit(EXIT_FAILURE);
+ }
cq->lx = lx; cq->ly = ly;
cq->rx = rx; cq->ry = ry;
cp->next = cq;
--
2.16.4

View File

@ -137,3 +137,35 @@
#include "transfig.h"
extern void sysmv(char *file); /* sys.c */
--- configure
+++ configure 2020-01-24 13:08:02.103408590 +0000
@@ -4122,7 +4122,7 @@ main ()
int dynamic_array[ni.number];
dynamic_array[ni.number - 1] = 543;
-
+ free(ia);
// work around unused variable warnings
return (!success || bignum == 0LL || ubignum == 0uLL || newvar[0] == 'x'
|| dynamic_array[ni.number - 1] != 543);
@@ -6377,8 +6377,8 @@ char *malloc ();
int
main ()
{
-return ! malloc (0);
- ;
+void *tmp = malloc (0);
+if (tmp) free (tmp); return !tmp;
return 0;
}
_ACEOF
@@ -6444,7 +6444,8 @@ char *realloc ();
int
main ()
{
-return ! realloc (0, 0);
+void *tmp = realloc (0, 0);
+if (tmp) free (tmp); return !tmp;
;
return 0;
}

View File

@ -1,3 +1,18 @@
-------------------------------------------------------------------
Tue Feb 11 11:38:01 UTC 2020 - Dr. Werner Fink <werner@suse.de>
- Add upstream security patches/commits
* 00cded.patch
* 2f8d1a.patch
* 3165d8.patch
* 421afa.patch
* 4d4e1f.patch
* 639c36.patch
* acccc8.patch
* d6a10d.patch
* d70e4b.patch
* e3cee2.patch
-------------------------------------------------------------------
Tue Jan 21 13:08:49 UTC 2020 - Dr. Werner Fink <werner@suse.de>

View File

@ -1,7 +1,7 @@
#
# spec file for package transfig
#
# Copyright (c) 2020 SUSE LLC.
# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -60,6 +60,16 @@ Patch4: transfig-fix-afl.patch
Patch5: CVE-2019-19746.patch
Patch6: c379fe.patch
Patch7: CVE-2019-19797.patch
Patch8: 00cded.patch
Patch9: d70e4b.patch
Patch10: d6a10d.patch
Patch11: acccc8.patch
Patch12: e3cee2.patch
Patch13: 421afa.patch
Patch14: 2f8d1a.patch
Patch15: 4d4e1f.patch
Patch16: 3165d8.patch
Patch17: 639c36.patch
Patch43: fig2dev-3.2.6-fig2mpdf.patch
Patch44: fig2dev-3.2.6-fig2mpdf-doc.patch
Patch45: fig2dev-3.2.6a-RGBFILE.patch
@ -107,15 +117,26 @@ find -type f | xargs -r chmod a-x,go-w
%patch5 -p0 -b .sec2
%patch6 -p0 -b .sec3
%patch7 -p0 -b .sec4
%patch8 -p0 -b .sec5
%patch9 -p0 -b .sec6
%patch10 -p0 -b .sec7
%patch11 -p0 -b .sec8
%patch12 -p0 -b .sec9
%patch13 -p0 -b .sec10
%patch14 -p0 -b .sec11
%patch15 -p0 -b .sec12
%patch16 -p0 -b .sec13
%patch17 -p0 -b .sec14
%patch43 -p2 -b .mpdf
%patch44 -p1 -b .mpdfdoc
%patch45 -p1 -b .p45
%build
ulimit -v unlimited || :
CC=gcc
CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -w -D_GNU_SOURCE -std=gnu99"
CFLAGS="$CFLAGS -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64"
export CC CFLAGS
CFLAGS="%{optflags} -fno-strict-aliasing -w -D_GNU_SOURCE -std=gnu99 -fsanitize=address $(getconf LFS_CFLAGS)"
LDFLAGS="-lasan"
export CC CFLAGS LDFLAGS
chmod 755 configure
%configure \
--docdir=%{_defaultdocdir}/%{name} \