SHA256
1
0
forked from pool/transfig
transfig/CVE-2019-19746.patch

70 lines
2.2 KiB
Diff
Raw Normal View History

Based on 3065abc7b4f740ed6532322843531317de782a26 Mon Sep 17 00:00:00 2001
From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
Date: Tue, 10 Dec 2019 13:17:36 +0100
Subject: [PATCH] Reject huge arrow types, ticket #57
An arrow type being large enough would pass the test for
a valid type by integer overflow.
---
fig2dev/arrow.c | 13 ++++++++-----
fig2dev/tests/read.at | 12 ++++++++++++
2 files changed, 20 insertions(+), 5 deletions(-)
--- fig2dev/arrow.c
+++ fig2dev/arrow.c 2020-01-21 11:02:33.457498151 +0000
@@ -1,9 +1,10 @@
/*
* Fig2dev: Translate Fig code to various Devices
- * Copyright (c) 1985 by Supoj Sutantavibul
* Copyright (c) 1991 by Micah Beck
- * Parts Copyright (c) 1989-2002 by Brian V. Smith
- * Parts Copyright (c) 2015-2018 by Thomas Loimer
+ * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+ * Parts Copyright (c) 1989-2015 by Brian V. Smith
+ * Parts Copyright (c) 2015-2019 by Thomas Loimer
+ *
*
* Any party obtaining a copy of these files is granted, free of charge, a
* full and unrestricted irrevocable, world-wide, paid up, royalty-free,
@@ -78,7 +79,9 @@ make_arrow(int type, int style, double t
{
F_arrow *a;
- if (style < 0 || style > 1 || type < 0 || (type + 1) * 2 > NUMARROWS)
+ if (style < 0 || style > 1 || type < 0 ||
+ /* beware of int overflow */
+ type > NUMARROWS || (type + 1) * 2 > NUMARROWS)
return NULL;
if (NULL == (Arrow_malloc(a))) {
put_msg(Err_mem);
@@ -90,7 +93,7 @@ make_arrow(int type, int style, double t
a->type = type;
a->style = style;
- a->thickness = thickness*THICK_SCALE;
+ a->thickness = thickness * THICK_SCALE;
a->wid = wid;
a->ht = ht;
return a;
--- fig2dev/tests/read.at
+++ fig2dev/tests/read.at 2020-01-21 11:02:33.457498151 +0000
@@ -135,6 +135,18 @@ A single point with a backward arrow - r
])
AT_CLEANUP
+AT_SETUP([reject huge arrow-type, ticket #57])
+AT_KEYWORDS(arrow.c arrow)
+AT_CHECK([fig2dev -L box <<EOF
+FIG_FILE_TOP
+2 1 0 1 -1 -1 50 -1 -1 0. 0 0 0 1 0 2
+ 10000000000000 0 1 60 120
+0 0 600 0
+EOF
+], 1, ignore, [Invalid forward arrow at line 11.
+])
+AT_CLEANUP
+
AT_SETUP([reject negative font type])
AT_KEYWORDS(read.c font)
AT_CHECK([fig2dev -L box <<EOF