Various security fixes

OBS-URL: https://build.opensuse.org/package/show/Publishing/transfig?expand=0&rev=62

00cded.patch

@@ -0,0 +1,79 @@
+From 00cdedac7a0b029846dee891769a1e77df83a01b Mon Sep 17 00:00:00 2001
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Sat, 25 Jan 2020 15:04:59 +0100
+Subject: [PATCH] Accept -1 as default TeX font, fixes ticket #81
+
+The default for PostScript fonts is -1, for TeX fonts 0. Accepting -1 for TeX
+fonts lead to out-of-bound read. Now, -1 for TeX fonts is converted to 0.
+---
+ fig2dev/dev/genpict2e.c |  9 +++++----
+ fig2dev/dev/gentikz.c   |  9 +++++----
+ fig2dev/tests/read.at   | 10 ++++++++++
+ 3 files changed, 20 insertions(+), 8 deletions(-)
+
+diff --git fig2dev/dev/genpict2e.c fig2dev/dev/genpict2e.c
+index 6ab442e..dd6fd95 100644
+--- fig2dev/dev/genpict2e.c
++++ fig2dev/dev/genpict2e.c
+@@ -2223,11 +2223,12 @@ put_font(F_text *t)
+ 	}
+ 
+ 	if (psfont_text(t))
+-	    fprintf(tfp, "\\usefont%s",
+-		    texpsfonts[t->font <= MAX_PSFONT ? t->font + 1 : 0]);
++		fprintf(tfp, "\\usefont%s", texpsfonts[t->font <= MAX_PSFONT ?
++				t->font + 1 : 0]);
+ 	else
+-	    fprintf(tfp, "\\normalfont%s ",
+-		    texfonts[t->font <= MAX_FONT ? t->font : MAX_FONT - 1]);
++		/* Default psfont is -1, default texfont 0, also accept -1. */
++		fprintf(tfp, "\\normalfont%s ", texfonts[t->font <= MAX_FONT ?
++				(t->font >= 0 ? t->font : 0) : MAX_FONT - 1]);
+ }
+ 
+ void
+diff --git fig2dev/dev/gentikz.c fig2dev/dev/gentikz.c
+index 797ca1c..b374e10 100644
+--- fig2dev/dev/gentikz.c
++++ fig2dev/dev/gentikz.c
+@@ -1772,11 +1772,12 @@ put_font(F_text *t)
+ 	}
+ 
+ 	if (psfont_text(t))
+-	    fprintf(tfp, "\\usefont%s",
+-		    texpsfonts[t->font <= MAX_PSFONT ? t->font + 1 : 0]);
++		fprintf(tfp, "\\usefont%s", texpsfonts[t->font <= MAX_PSFONT ?
++				t->font + 1 : 0]);
+ 	else
+-	    fprintf(tfp, "\\normalfont%s ",
+-		    texfonts[t->font <= MAX_FONT ? t->font : MAX_FONT - 1]);
++		/* Default psfont is -1, default texfont 0, also accept -1. */
++		fprintf(tfp, "\\normalfont%s ", texfonts[t->font <= MAX_FONT ?
++			    (t->font >= 0 ? t->font : 0) : MAX_FONT - 1]);
+ }
+ 
+ /*
+diff --git fig2dev/tests/read.at fig2dev/tests/read.at
+index 9b34bfb..331afb5 100644
+--- fig2dev/tests/read.at
++++ fig2dev/tests/read.at
+@@ -406,6 +406,16 @@ EOF
+ ])
+ AT_CLEANUP
+ 
++AT_SETUP([allow tex font -1, ticket #81])
++AT_DATA([text.fig], [FIG_FILE_TOP
++4 0 0 50 -1 -1 12 0.0 0 150 405 0 0 Text\001
++])
++AT_CHECK([fig2dev -L pict2e text.fig
++], 0, ignore)
++AT_CHECK([fig2dev -L tikz text.fig
++], 0, ignore)
++AT_CLEANUP
++
+ AT_BANNER([Dynamically allocate picture file name.])
+ 
+ AT_SETUP([prepend fig file path to picture file name])
+-- 
+2.16.4
+

2f8d1a.patch

@@ -0,0 +1,63 @@
+From 2f8d1ae9763dcdc99b88a2b14849fe37174bcd69 Mon Sep 17 00:00:00 2001
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Wed, 29 Jan 2020 22:53:32 +0100
+Subject: [PATCH] Reject out-of-range pattern, ticket #63
+
+---
+ fig2dev/object.h      |  2 +-
+ fig2dev/tests/read.at | 19 +++++++++++++++++--
+ 2 files changed, 18 insertions(+), 3 deletions(-)
+
+diff --git fig2dev/object.h fig2dev/object.h
+index 8464010..6830b13 100644
+--- fig2dev/object.h
++++ fig2dev/object.h
+@@ -61,7 +61,7 @@ typedef struct f_comment {
+ 	o->style < SOLID_LINE || o->style > DASH_3_DOTS_LINE ||		\
+ 	o->thickness < 0 || o->depth < 0 || o->depth > 999 || 		\
+ 	o->fill_style < UNFILLED ||					\
+-	o->fill_style > NUMSHADES + NUMTINTS + NUMPATTERNS ||		\
++	o->fill_style >= NUMSHADES + NUMTINTS + NUMPATTERNS ||		\
+ 	o->style_val < 0.0
+ 
+ typedef struct f_ellipse {
+|diff --git fig2dev/tests/read.at fig2dev/tests/read.at
+|index 2d066e4..bf117ee 100644
+|--- fig2dev/tests/read.at
+|+++ fig2dev/tests/read.at
+|@@ -421,15 +421,30 @@ AT_CLEANUP
+| 
+| AT_SETUP([reject ASCII NUL ('\0') in input, ticket #80])
+| AT_KEYWORDS([read.c svg])
+|-AT_CHECK([fig2dev -L svg $srcdir/data/text_w_ascii0.fig], 1, ignore, ignore)
+|+AT_CHECK([fig2dev -L svg $srcdir/data/text_w_ascii0.fig],
+|+1, ignore, [ASCII NUL ('\0') in line 11.
+|+])
+| AT_CLEANUP
+| 
+| AT_SETUP([reject out of range text angle, ticket #76])
+|+AT_KEYWORDS([read.c pstricks])
+| AT_CHECK([fig2dev -L pstricks <<EOF
+| FIG_FILE_TOP
+| 4 0 0 50 -1 -1 12 9e26 0 150 405 0 0 Very slanted text\001
+| EOF
+|-], 1, ignore, ignore)
+|+], 1, ignore, [Invalid text object at line 10.
+|+])
+|+AT_CLEANUP
+|+
+|+AT_SETUP([reject out-of-range pattern fills, ticket #63])
+|+AT_KEYWORDS([read.c cgm])
+|+AT_CHECK([fig2dev -L cgm <<EOF
+|+FIG_FILE_TOP
+|+2 3 0 0 0 7 50 -1 63 0.000 0 0 -1 0 0 4
+|+	 0 0 1200 0 600 800 0 0
+|+EOF
+|+], 1, ignore, [Invalid line object at line 10.
+|+])
+| AT_CLEANUP
+| 
+| AT_BANNER([Dynamically allocate picture file name.])
+-- 
+2.16.4
+

3165d8.patch

@@ -0,0 +1,75 @@
+From 3165d86c31c6323913239fdc6460be6ababd3826 Mon Sep 17 00:00:00 2001
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Tue, 4 Feb 2020 20:58:27 +0100
+Subject: [PATCH] Allow arrows with zero length on arcs, ticket #74
+
+---
+ fig2dev/bound.c         |  9 +++++----
+ fig2dev/tests/output.at | 10 +++++++++-
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+
+diff --git fig2dev/bound.c fig2dev/bound.c
+index ce7f4d1..d305ab9 100644
+--- fig2dev/bound.c
++++ fig2dev/bound.c
+@@ -3,7 +3,7 @@
+  * Copyright (c) 1985 Supoj Sutanthavibul
+  * Copyright (c) 1991 Micah Beck
+  * Parts Copyright (c) 1989-2015 by Brian V. Smith
+- * Parts Copyright (c) 2015-2019 Thomas Loimer
++ * Parts Copyright (c) 2015-2020 Thomas Loimer
+  *
+  * Any party obtaining a copy of these files is granted, free of charge, a
+  * full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -1095,9 +1095,8 @@ compute_arcarrow_angle(double x1, double y1, double x2, double y2,
+ 	r=sqrt(dx*dx+dy*dy);
+ 	h = (double) arrow->ht;
+ 	/* lines are made a little thinner in set_linewidth */
+-	thick = (arrow->thickness <= THICK_SCALE) ?
+-		    0.5* arrow->thickness :
+-		    arrow->thickness - THICK_SCALE;
++	thick = arrow->thickness <= THICK_SCALE ?
++		0.5 * arrow->thickness : arrow->thickness - THICK_SCALE;
+ 	/* lpt is the amount the arrowhead extends beyond the end of the line */
+ 	lpt = thick/2.0/(arrow->wid/h/2.0);
+ 	/* add this to the length */
+@@ -1107,6 +1106,8 @@ compute_arcarrow_angle(double x1, double y1, double x2, double y2,
+ 	if (h > 2.0*r) {
+ 	    arc_tangent_int(x1,y1,x2,y2,direction,x,y);
+ 	    return;
++	} else if (h < thick) {
++	    h = thick;
+ 	}
+ 
+ 	beta=atan2(dy,dx);
+diff --git fig2dev/tests/output.at fig2dev/tests/output.at
+index fd06727..e0d088c 100644
+--- fig2dev/tests/output.at
++++ fig2dev/tests/output.at
+@@ -2,7 +2,7 @@ dnl Fig2dev: Translate Fig code to various Devices
+ dnl Copyright (c) 1991 by Micah Beck
+ dnl Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+ dnl Parts Copyright (c) 1989-2015 by Brian V. Smith
+-dnl Parts Copyright (c) 2015-2019 by Thomas Loimer
++dnl Parts Copyright (c) 2015-2020 by Thomas Loimer
+ dnl
+ dnl Any party obtaining a copy of these files is granted, free of charge, a
+ dnl full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -175,6 +175,14 @@ AT_CHECK([fig2dev -L pict2e -P big1.fig big1.tex && \
+ ], 0, ignore)
+ AT_CLEANUP
+ 
++AT_SETUP([accept arc arrows with zero height, ticket #74])
++AT_KEYWORDS(pict2e)
++AT_CHECK([fig2dev -L pict2e <<EOF
++FIG_FILE_TOP
++5 1 0 1 0 7 50 -1 -1 0.0 0 0 1 0 0.0 0.0 600 0 0 600 -600 0
++	1 1 1.0 60.0 0.0
++EOF], 0, ignore)
++AT_CLEANUP
+ 
+ AT_BANNER([Test svg output language.])
+ AT_SETUP([compare patterns with template])
+-- 
+2.16.4
+

421afa.patch

@@ -0,0 +1,68 @@
+From 421afa17d8cb8dafcaf3e6044a70790fa4fe307b Mon Sep 17 00:00:00 2001
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Mon, 27 Jan 2020 23:01:11 +0100
+Subject: [PATCH] Accept -1 TeX font in more places, fixes #71, #75
+
+Continue the work started in commit [00cded]. Fix the fundamental issue of
+tickets #71 and #75, which was hidden by commit [d70e4b].
+---
+ fig2dev/dev/texfonts.h | 14 +++++++++-----
+ fig2dev/tests/read.at  |  4 +++-
+ 2 files changed, 12 insertions(+), 6 deletions(-)
+
+diff --git fig2dev/dev/texfonts.h fig2dev/dev/texfonts.h
+index 89097f2..e5254b6 100644
+--- fig2dev/dev/texfonts.h
++++ fig2dev/dev/texfonts.h
+@@ -35,17 +35,21 @@ extern char		texfontsizes[];
+ #define MAXFONTSIZE	42
+ 
+ #ifdef NFSS
+-#define TEXFAMILY(F)	(texfontfamily[((F) <= MAX_FONT) ? (F) : (MAX_FONT-1)])
+-#define TEXSERIES(F)	(texfontseries[((F) <= MAX_FONT) ? (F) : (MAX_FONT-1)])
+-#define TEXSHAPE(F)	(texfontshape[((F) <= MAX_FONT) ? (F) : (MAX_FONT-1)])
++#define TEXFAMILY(F)	texfontfamily[(F) <= MAX_FONT ? ((F) >= 0 ? (F) : 0) \
++						: MAX_FONT-1]
++#define TEXSERIES(F)	texfontseries[(F) <= MAX_FONT ? ((F) >= 0 ? (F) : 0) \
++						: MAX_FONT-1]
++#define TEXSHAPE(F)	texfontshape[(F) <= MAX_FONT ? ((F) >= 0 ? (F) : 0) \
++						: MAX_FONT-1]
+ #endif
+-#define TEXFONT(F)	(texfontnames[((F) <= MAX_FONT) ? (F) : (MAX_FONT-1)])
++#define TEXFONT(F)	texfontnames[(F) <= MAX_FONT ? ((F) >= 0 ? (F) : 0) \
++						: MAX_FONT-1]
+ 
+ /*
+ #define TEXFONTSIZE(S)	(texfontsizes[((S) <= MAXFONTSIZE) ? (int)(round(S))\
+ 							: (MAXFONTSIZE-1)])
+ */
+-#define TEXFONTSIZE(S)	(((S) <= MAXFONTSIZE) ? texfontsizes[(int)(round(S))] : (S))
++#define TEXFONTSIZE(S)	((S) <= MAXFONTSIZE ? texfontsizes[(int)round(S)] : (S))
+ #define TEXFONTMAG(T)	TEXFONTSIZE(T->size*(rigid_text(T) ? 1.0 : fontmag))
+ 
+ void setfigfont(F_text *text);		/* genepic.c */
+|diff --git fig2dev/tests/read.at fig2dev/tests/read.at
+|index 60982b0..726e6da 100644
+|--- fig2dev/tests/read.at
+|+++ fig2dev/tests/read.at
+|@@ -406,7 +406,7 @@ EOF
+| ])
+| AT_CLEANUP
+| 
+|-AT_SETUP([allow tex font -1, ticket #81])
+|+AT_SETUP([allow tex font -1, tickets #71, #75, #81])
+| AT_KEYWORDS([pict2e tikz])
+| AT_DATA([text.fig], [FIG_FILE_TOP
+| 4 0 0 50 -1 -1 12 0.0 0 150 405 0 0 Text\001
+|@@ -415,6 +415,8 @@ AT_CHECK([fig2dev -L pict2e text.fig
+| ], 0, ignore)
+| AT_CHECK([fig2dev -L tikz text.fig
+| ], 0, ignore)
+|+AT_CHECK([fig2dev -L mp text.fig
+|+], 0, ignore)
+| AT_CLEANUP
+| 
+| AT_SETUP([reject ASCII NUL ('\0') in input, ticket #80])
+-- 
+2.16.4
+

4d4e1f.patch

@@ -0,0 +1,114 @@
+From 4d4e1fdac467c386cba8706aa0067d5ab8da02d7 Mon Sep 17 00:00:00 2001
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Mon, 3 Feb 2020 23:39:32 +0100
+Subject: [PATCH] Allow DEFAULT color in cgm and ge output, #72, #73
+
+Also, fix a memory leak in gencgm.c.
+---
+ fig2dev/dev/gencgm.c        |  8 +++++++-
+ fig2dev/dev/genge.c         |  7 ++++---
+ fig2dev/tests/data/line.fig |  2 +-
+ fig2dev/tests/output.at     | 12 ++++++++++++
+ 4 files changed, 24 insertions(+), 5 deletions(-)
+
+diff --git fig2dev/dev/gencgm.c fig2dev/dev/gencgm.c
+index 0f472a8..e12940f 100644
+--- fig2dev/dev/gencgm.c
++++ fig2dev/dev/gencgm.c
+@@ -151,9 +151,11 @@ gencgm_start(F_compound *objects)
+ {
+   int	 i;
+   char	*p, *figname;
++  char	*figname_buf = NULL;
+ 
+   if (from) {
+-	figname = strdup(from);
++	figname_buf = strdup(from);
++	figname = figname_buf;
+ 	p = strrchr(figname, '/');
+ 	if (p)
+ 	    figname = p+1;	/* remove path from name for comment in file */
+@@ -255,6 +257,8 @@ gencgm_start(F_compound *objects)
+     print_comments("% ",objects->comments, " %");
+     fprintf(tfp,"%% %%\n");
+   }
++  if (figname_buf)
++    free(figname_buf);
+ }
+ 
+ int
+@@ -552,6 +556,8 @@ hatchindex(index)
+ static void
+ getrgb(int color, int *r, int *g, int *b)
+ {
++  if (color < 0)	/* DEFAULT color is black */
++    color = 0;
+   if (color < NUM_STD_COLS) {
+     *r = stdcols[color].r * 255.;
+     *g = stdcols[color].g * 255.;
+diff --git fig2dev/dev/genge.c fig2dev/dev/genge.c
+index b171f39..5697bb6 100644
+--- fig2dev/dev/genge.c
++++ fig2dev/dev/genge.c
+@@ -56,7 +56,8 @@ static void	genge_ctl_spline(F_spline *s);
+ 				    /* color mapping		*/
+ 				    /* xfig	ge		*/
+ 
+-static int	GE_COLORS[] = {	 1, /* black	black		*/
++static int	GE_COLORS[] = {  1, /* DEFAULT == black		*/
++				 1, /* black	black		*/
+ 				 8, /* blue	blue		*/
+ 				 7, /* green	green		*/
+ 				 6, /* cyan	cyan		*/
+@@ -438,7 +439,7 @@ back_arrow(F_line *l)
+ static void
+ set_color(int col)
+ {
+-	fprintf(tfp,"c%02d ",GE_COLORS[col]);
++	fprintf(tfp,"c%02d ",GE_COLORS[col + 1]);
+ }
+ 
+ /* set fill if there is a fill style */
+@@ -447,7 +448,7 @@ static void
+ set_fill(int style, int color)
+ {
+ 	if (style != UNFILLED)
+-	    fprintf(tfp,"C%02d ",GE_COLORS[color]);
++	    fprintf(tfp,"C%02d ",GE_COLORS[color + 1]);
+ }
+ 
+ /*
+diff --git fig2dev/tests/data/line.fig fig2dev/tests/data/line.fig
+index e033b12..bfc4976 100644
+--- fig2dev/tests/data/line.fig
++++ fig2dev/tests/data/line.fig
+@@ -7,5 +7,5 @@ A9
+ Single
+ -2
+ 1200 2
+-2 1 0 3 0 7 50 -1 -1 0.0 0 0 -1 0 0 3
++2 1 0 3 -1 7 50 -1 -1 0.0 0 0 -1 0 0 3
+ 50 50 500 50 500 200
+diff --git fig2dev/tests/output.at fig2dev/tests/output.at
+index 9a1bc45..fd06727 100644
+--- fig2dev/tests/output.at
++++ fig2dev/tests/output.at
+@@ -261,3 +261,15 @@ AT_CHECK([fig2dev -L tikz -P big1.fig big1.tex && \
+ 	latex -halt-on-error big1.tex && latex -halt-on-error big2.tex
+ ], 0, ignore)
+ AT_CLEANUP
++
++
++AT_BANNER([Test other output languages.])
++
++AT_SETUP([allow default color in ge, cgm output, #72, #73])
++AT_KEYWORDS(cgm ge)
++AT_CHECK([fig2dev -L cgm $srcdir/data/line.fig
++], 0, ignore)
++AT_CHECK([fig2dev -L ge $srcdir/data/line.fig
++], 0, ignore)
++AT_CLEANUP
++
+-- 
+2.16.4
+

639c36.patch

@@ -0,0 +1,38 @@
+From 639c36010a120e97a6e82e7cd57cbf9dbf4b64f1 Mon Sep 17 00:00:00 2001
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Tue, 4 Feb 2020 21:52:25 +0100
+Subject: [PATCH] Fix pstricks fill with non-solid default color, #77
+
+In the pstricks output, filling an area with the shaded or tinted default color
+is now equivalent to filling with shaded or tinted black color.
+---
+ fig2dev/dev/genpstricks.c | 3 ++-
+ fig2dev/tests/output.at   | 1 -
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git fig2dev/dev/genpstricks.c fig2dev/dev/genpstricks.c
+index 07c4d09..5acc1f6 100644
+--- fig2dev/dev/genpstricks.c
++++ fig2dev/dev/genpstricks.c
+@@ -1856,7 +1856,8 @@ format_options(char *options, char *prefix, char *postfix, char *sqrb_init,
+     else if (fill_style <= 40)
+       /* shade or tint fill */
+       sprintf(tmps, "fillstyle=solid,fillcolor=%s",
+-	      shade_or_tint_name_after_declare_color(tmpc, fill_style, fill_color));
++	      shade_or_tint_name_after_declare_color(tmpc, fill_style,
++		      fill_color == DEFAULT ? CT_BLACK : fill_color));
+     else {
+       char *type = 0, *ps;
+       int angle = 0;
+diff --git fig2dev/tests/output.at fig2dev/tests/output.at
+index e0d088c..e1e5ca4 100644
+--- fig2dev/tests/output.at
++++ fig2dev/tests/output.at
+@@ -280,4 +280,3 @@ AT_CHECK([fig2dev -L cgm $srcdir/data/line.fig
+ AT_CHECK([fig2dev -L ge $srcdir/data/line.fig
+ ], 0, ignore)
+ AT_CLEANUP
+-
+-- 
+2.16.4
+

acccc8.patch

@@ -0,0 +1,84 @@
+From acccc89c20206a5db1f463438ba444e35bcb400e Mon Sep 17 00:00:00 2001
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Tue, 28 Jan 2020 22:56:40 +0100
+Subject: [PATCH] Reject text or ellipse angles beyond -2pi to 2pi, #76
+
+In fact, generously extend the allowed range to -7 to 7.
+Sane applications, e.g., xfig, certainly keep the angles within one revolution.
+---
+ CHANGES               | 6 +++---
+ fig2dev/object.h      | 7 ++++---
+ fig2dev/tests/read.at | 8 ++++++++
+ 3 files changed, 15 insertions(+), 6 deletions(-)
+
+|diff --git CHANGES CHANGES
+|index 4834e50..52daead 100644
+|--- CHANGES
+|+++ CHANGES
+|@@ -6,9 +6,9 @@ Patchlevel Xx (Xxx 20xx)
+| 
+| BUGS FIXED:
+| 	Ticket numbers refer to https://sourceforge.net/p/mcj/tickets/#.
+|-	o Fix ticket #81.
+|-	o Do not allow ASCII NUL anywhere in input.
+|-	  Fixes tickets #65, #68, #71, #73, #75, #80.
+|+	o Accept text and ellipse angles only within -2*pi to 2*pi. Fixes #76.
+|+	o Allow -1 as default TeX font, not only 0. Fixes #71, #75, #81.
+|+	o Do not allow ASCII NUL anywhere in input. Fixes #65, #68, #73, #80.
+| 	o Use getline() to improve input scanning.
+| 	  Fixes tickets #58, #59, #61, #62, #67, #78, #79.
+| 	o Correctly scan embedded pdfs for /MediaBox value.
+diff --git fig2dev/object.h fig2dev/object.h
+index fe56bbb..8464010 100644
+--- fig2dev/object.h
++++ fig2dev/object.h
+@@ -3,7 +3,7 @@
+  * Copyright (c) 1991 by Micah Beck
+  * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
+  * Parts Copyright (c) 1989-2015 by Brian V. Smith
+- * Parts Copyright (c) 2015-2019 by Thomas Loimer
++ * Parts Copyright (c) 2015-2020 by Thomas Loimer
+  *
+  * Any party obtaining a copy of these files is granted, free of charge, a
+  * full and unrestricted irrevocable, world-wide, paid up, royalty-free,
+@@ -94,7 +94,8 @@ typedef struct f_ellipse {
+ #define INVALID_ELLIPSE(e)	\
+ 	e->type < T_ELLIPSE_BY_RAD || e->type > T_CIRCLE_BY_DIA ||	\
+ 	COMMON_PROPERTIES(e) || (e->direction != 1 && e->direction != 0) || \
+-	e->radiuses.x == 0 || e->radiuses.y == 0
++	e->radiuses.x == 0 || e->radiuses.y == 0 || \
++	e->angle < -7. || e->angle > 7.
+ 
+ typedef struct f_arc {
+ 	int			type;
+@@ -243,7 +244,7 @@ typedef struct f_text {
+ 	t->type < T_LEFT_JUSTIFIED || t->type > T_RIGHT_JUSTIFIED ||	\
+ 	t->font < DEFAULT || t->font > MAX_PSFONT ||			\
+ 	t->flags < DEFAULT || t->flags >= 2 * HIDDEN_TEXT ||		\
+-	t->height < 0 || t->length < 0
++	t->height < 0 || t->length < 0 || t->angle < -7. || t->angle > 7.
+ 
+ typedef struct f_control {
+ 	double			lx, ly, rx, ry;	/* used by older versions*/
+|diff --git fig2dev/tests/read.at fig2dev/tests/read.at
+|index 726e6da..2d066e4 100644
+|--- fig2dev/tests/read.at
+|+++ fig2dev/tests/read.at
+|@@ -424,6 +424,14 @@ AT_KEYWORDS([read.c svg])
+| AT_CHECK([fig2dev -L svg $srcdir/data/text_w_ascii0.fig], 1, ignore, ignore)
+| AT_CLEANUP
+| 
+|+AT_SETUP([reject out of range text angle, ticket #76])
+|+AT_CHECK([fig2dev -L pstricks <<EOF
+|+FIG_FILE_TOP
+|+4 0 0 50 -1 -1 12 9e26 0 150 405 0 0 Very slanted text\001
+|+EOF
+|+], 1, ignore, ignore)
+|+AT_CLEANUP
+|+
+| AT_BANNER([Dynamically allocate picture file name.])
+| 
+| AT_SETUP([prepend fig file path to picture file name])
+-- 
+2.16.4
+

d6a10d.patch

@@ -0,0 +1,40 @@
+From d6a10d168469ed9c4d681ebdc577ea0f65de1501 Mon Sep 17 00:00:00 2001
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Sun, 26 Jan 2020 22:13:26 +0100
+Subject: [PATCH] Fix ticket #60. The previous commit fixed also #65, #68, #71,
+ #73, #75
+
+---
+ CHANGES        | 3 ++-
+ fig2dev/read.c | 1 +
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+|diff --git CHANGES CHANGES
+|index f1bbbc3..4834e50 100644
+|--- CHANGES
+|+++ CHANGES
+|@@ -7,7 +7,8 @@ Patchlevel Xx (Xxx 20xx)
+| BUGS FIXED:
+| 	Ticket numbers refer to https://sourceforge.net/p/mcj/tickets/#.
+| 	o Fix ticket #81.
+|-	o Do not allow ASCII NUL anywhere in input. Fixes ticket #80.
+|+	o Do not allow ASCII NUL anywhere in input.
+|+	  Fixes tickets #65, #68, #71, #73, #75, #80.
+| 	o Use getline() to improve input scanning.
+| 	  Fixes tickets #58, #59, #61, #62, #67, #78, #79.
+| 	o Correctly scan embedded pdfs for /MediaBox value.
+diff --git fig2dev/read.c fig2dev/read.c
+index 86cee71..797030c 100644
+--- fig2dev/read.c
++++ fig2dev/read.c
+@@ -1322,6 +1322,7 @@ read_splineobject(FILE *fp, char **restrict line, size_t *line_len,
+ 		}
+ 	    q->x = x;
+ 	    q->y = y;
++	    q->next = NULL;
+ 	    p->next = q;
+ 	    p = q;
+ 	    ++c;
+-- 
+2.16.4
+

d70e4b.patch

@@ -0,0 +1,129 @@
+From d70e4ba6308046f71cb51f67db8412155af52411 Mon Sep 17 00:00:00 2001
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Sun, 26 Jan 2020 13:16:52 +0100
+Subject: [PATCH] Reject ASCII NUL anywhere in the input
+
+The input is read in line by line, stored in a buffer and processed further
+with sscanf(). Embedded NUL characters ('\0') would already disturb sscanf(),
+and nowhere does the code expect NUL characters. Therefore, detect NUL while
+reading the input, and exit with an error message when NUL is found anywere.
+Fixes ticket #80.
+---
+ CHANGES                              |   4 ++++
+ fig2dev/read.c                       |  21 +++++++++++++++++++--
+ fig2dev/tests/data/text_w_ascii0.fig | Bin 0 -> 321 bytes
+ fig2dev/tests/read.at                |   6 ++++++
+ 4 files changed, 29 insertions(+), 2 deletions(-)
+ create mode 100644 fig2dev/tests/data/text_w_ascii0.fig
+
+|diff --git CHANGES CHANGES
+|index 4a414fa..f1bbbc3 100644
+|--- CHANGES
+|+++ CHANGES
+|@@ -6,6 +6,10 @@ Patchlevel Xx (Xxx 20xx)
+| 
+| BUGS FIXED:
+| 	Ticket numbers refer to https://sourceforge.net/p/mcj/tickets/#.
+|+	o Fix ticket #81.
+|+	o Do not allow ASCII NUL anywhere in input. Fixes ticket #80.
+|+	o Use getline() to improve input scanning.
+|+	  Fixes tickets #58, #59, #61, #62, #67, #78, #79.
+| 	o Correctly scan embedded pdfs for /MediaBox value.
+| 	o Convert polygons having too few points to polylines. Ticket #56.
+| 	o Reject huge arrow types causing integer overflow. Ticket #57.
+diff --git fig2dev/read.c fig2dev/read.c
+index e85ee10..86cee71 100644
+--- fig2dev/read.c
++++ fig2dev/read.c
+@@ -178,8 +178,14 @@ read_objects(FILE *fp, F_compound *obj)
+ 		put_msg("Could not read input file.");
+ 		return -1;
+ 	}
+-	/* seek to the end of the first line */
+-	if (strchr(buf, '\n') == NULL) {
++
++	/* check for embedded '\0' */
++	if (strlen(buf) < sizeof buf - 1 && buf[strlen(buf) - 1] != '\n') {
++		put_msg("ASCII NUL ('\\0') character within the first line.");
++		exit(EXIT_FAILURE);
++	/* seek to the end of the first line
++	   (the only place, where '\0's are tolerated) */
++	} else if (buf[strlen(buf) - 1] != '\n') {
+ 		int	c;
+ 		do
+ 			c = fgetc(fp);
+@@ -1398,6 +1404,15 @@ read_splineobject(FILE *fp, char **restrict line, size_t *line_len,
+ 	return s;
+ }
+ 
++static void
++exit_on_ascii_NUL(const char *restrict line, size_t chars, int line_no)
++{
++	if (strlen(line) < (size_t)chars) {
++		put_msg("ASCII NUL ('\\0') in line %d.", line_no);
++		exit(EXIT_FAILURE);
++	}
++}
++
+ static char *
+ find_end(const char *str, int v30flag)
+ {
+@@ -1469,6 +1484,7 @@ read_textobject(FILE *fp, char **restrict line, size_t *line_len, int *line_no)
+ 
+ 		while ((chars = getline(line, line_len, fp)) != -1) {
+ 			++(*line_no);
++			exit_on_ascii_NUL(*line, chars, *line_no);
+ 			end = find_end(*line, v30_flag);
+ 			if (end) {
+ 				*end = '\0';
+@@ -1640,6 +1656,7 @@ get_line(FILE *fp, char **restrict line, size_t *line_len, int *line_no)
+ 		if (**line == '\n' || (**line == '\r' &&
+ 					chars == 2 && (*line)[1] == '\n'))
+ 			continue;
++		exit_on_ascii_NUL(*line, chars, *line_no);
+ 		/* remove newline and possibly a carriage return */
+ 		if ((*line)[chars-1] == '\n') {
+ 			chars -= (*line)[chars - 2] == '\r' ? 2 : 1;
+|diff --git fig2dev/tests/data/text_w_ascii0.fig fig2dev/tests/data/text_w_ascii0.fig
+|new file mode 100644
+|index 0000000000000000000000000000000000000000..fb15b306b26a42446b809d0caf77efcfc73c588a
+|GIT binary patch
+|literal 321
+|zcmV-H0lxktMoC8?GcGa;Okr+hb7Ns}WeP)OZggdG3Q2BbXk~K>Ol5R*WpWBJFfcAK
+|zFbY#?Zf9&|3N11UF)}bPATkOxATS^>ATl5@ATl)|F*Y+GGch1HATS^xFd!{4ATb~?
+|zATkOdFeV^0ATcs9AT=O)Tp%DYATS^>US3{aUP@kGUS3`R!hplS!@pi$US3{aUS3{a
+|zUS3{aUS3{aUS3{aG&LYaTrf#7d0a3sF$yCzATS^>AT=-`EioW1F(5HAATTa4ATS^?
+|zH83DFFf|}BATS_7ZXjWEV`*t1dS!BNASYa0Fee~rWpZU8Ej|D)E-qniWFT{IZDk;B
+|zZ*pZIbY*ySAZBlDY;SjIZf7hYcWHEJAYmY5WpZ?3X>K54ZEtmMbRchLAZ=-GX>E0F
+|TAY*7@a$#e1WpZ;|FfcI+7J*tc
+|
+|literal 0
+|KcmV+b0RR6000031
+|
+|diff --git fig2dev/tests/read.at fig2dev/tests/read.at
+|index 331afb5..60982b0 100644
+|--- fig2dev/tests/read.at
+|+++ fig2dev/tests/read.at
+|@@ -407,6 +407,7 @@ EOF
+| AT_CLEANUP
+| 
+| AT_SETUP([allow tex font -1, ticket #81])
+|+AT_KEYWORDS([pict2e tikz])
+| AT_DATA([text.fig], [FIG_FILE_TOP
+| 4 0 0 50 -1 -1 12 0.0 0 150 405 0 0 Text\001
+| ])
+|@@ -416,6 +417,11 @@ AT_CHECK([fig2dev -L tikz text.fig
+| ], 0, ignore)
+| AT_CLEANUP
+| 
+|+AT_SETUP([reject ASCII NUL ('\0') in input, ticket #80])
+|+AT_KEYWORDS([read.c svg])
+|+AT_CHECK([fig2dev -L svg $srcdir/data/text_w_ascii0.fig], 1, ignore, ignore)
+|+AT_CLEANUP
+|+
+| AT_BANNER([Dynamically allocate picture file name.])
+| 
+| AT_SETUP([prepend fig file path to picture file name])
+-- 
+2.16.4
+

e3cee2.patch

@@ -0,0 +1,33 @@
+From e3cee2576438f47a3b8678c6960472e625f8f7d7 Mon Sep 17 00:00:00 2001
+From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
+Date: Mon, 27 Jan 2020 22:14:29 +0100
+Subject: [PATCH] Keep coordinates of spline controls within sane range
+
+This fixes the fundamental issue of ticket #65.
+---
+ fig2dev/read.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git fig2dev/read.c fig2dev/read.c
+index 797030c..255586a 100644
+--- fig2dev/read.c
++++ fig2dev/read.c
+@@ -1393,6 +1393,15 @@ read_splineobject(FILE *fp, char **restrict line, size_t *line_len,
+ 		free_splinestorage(s);
+ 		return NULL;
+ 	    }
++	    if (lx < INT_MIN || lx > INT_MAX || ly < INT_MIN || ly > INT_MAX ||
++		rx < INT_MIN || rx > INT_MAX || ry < INT_MIN || ry > INT_MAX) {
++		    /* do not care to clean up, we exit anyway
++		       cp->next = NULL;
++		       free_splinestorage(s);	*/
++		    put_msg("Spline control points out of range at line %d.",
++				    *line_no);
++		    exit(EXIT_FAILURE);
++	    }
+ 	    cq->lx = lx; cq->ly = ly;
+ 	    cq->rx = rx; cq->ry = ry;
+ 	    cp->next = cq;
+-- 
+2.16.4
+

transfig-3.2.6.dif

@@ -137,3 +137,35 @@
  #include "transfig.h"
  
  extern void sysmv(char *file);					/* sys.c */
+--- configure
++++ configure	2020-01-24 13:08:02.103408590 +0000
+@@ -4122,7 +4122,7 @@ main ()
+ 
+   int dynamic_array[ni.number];
+   dynamic_array[ni.number - 1] = 543;
+-
++  free(ia);
+   // work around unused variable warnings
+   return (!success || bignum == 0LL || ubignum == 0uLL || newvar[0] == 'x'
+ 	  || dynamic_array[ni.number - 1] != 543);
+@@ -6377,8 +6377,8 @@ char *malloc ();
+ int
+ main ()
+ {
+-return ! malloc (0);
+-  ;
++void *tmp = malloc (0);
++if (tmp) free (tmp); return !tmp;
+   return 0;
+ }
+ _ACEOF
+@@ -6444,7 +6444,8 @@ char *realloc ();
+ int
+ main ()
+ {
+-return ! realloc (0, 0);
++void *tmp = realloc (0, 0);
++if (tmp) free (tmp); return !tmp;
+   ;
+   return 0;
+ }

transfig.changes

@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Tue Feb 11 11:38:01 UTC 2020 - Dr. Werner Fink <werner@suse.de>
+
+- Add upstream security patches/commits
+  * 00cded.patch
+  * 2f8d1a.patch
+  * 3165d8.patch
+  * 421afa.patch
+  * 4d4e1f.patch
+  * 639c36.patch
+  * acccc8.patch
+  * d6a10d.patch
+  * d70e4b.patch
+  * e3cee2.patch
+
 -------------------------------------------------------------------
 Tue Jan 21 13:08:49 UTC 2020 - Dr. Werner Fink <werner@suse.de>
 

transfig.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package transfig
 #
-# Copyright (c) 2020 SUSE LLC.
+# Copyright (c) 2020 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -60,6 +60,16 @@ Patch4:         transfig-fix-afl.patch
 Patch5:         CVE-2019-19746.patch
 Patch6:         c379fe.patch
 Patch7:         CVE-2019-19797.patch
+Patch8:         00cded.patch
+Patch9:         d70e4b.patch
+Patch10:        d6a10d.patch
+Patch11:        acccc8.patch
+Patch12:        e3cee2.patch
+Patch13:        421afa.patch
+Patch14:        2f8d1a.patch
+Patch15:        4d4e1f.patch
+Patch16:        3165d8.patch
+Patch17:        639c36.patch
 Patch43:        fig2dev-3.2.6-fig2mpdf.patch
 Patch44:        fig2dev-3.2.6-fig2mpdf-doc.patch
 Patch45:        fig2dev-3.2.6a-RGBFILE.patch
@@ -107,15 +117,26 @@ find -type f | xargs -r chmod a-x,go-w
 %patch5 -p0 -b .sec2
 %patch6 -p0 -b .sec3
 %patch7 -p0 -b .sec4
+%patch8 -p0 -b .sec5
+%patch9 -p0 -b .sec6
+%patch10 -p0 -b .sec7
+%patch11 -p0 -b .sec8
+%patch12 -p0 -b .sec9
+%patch13 -p0 -b .sec10
+%patch14 -p0 -b .sec11
+%patch15 -p0 -b .sec12
+%patch16 -p0 -b .sec13
+%patch17 -p0 -b .sec14
 %patch43 -p2 -b .mpdf
 %patch44 -p1 -b .mpdfdoc
 %patch45 -p1 -b .p45
 
 %build
+ulimit -v unlimited || :
 CC=gcc
-CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -w -D_GNU_SOURCE -std=gnu99"
-CFLAGS="$CFLAGS -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64"
-export CC CFLAGS
+CFLAGS="%{optflags} -fno-strict-aliasing -w -D_GNU_SOURCE -std=gnu99 -fsanitize=address $(getconf LFS_CFLAGS)"
+LDFLAGS="-lasan"
+export CC CFLAGS LDFLAGS
 chmod 755 configure
 %configure \
     --docdir=%{_defaultdocdir}/%{name} \