transfig/CVE-2019-19555.patch

Based on 19db5fe6f77ebad91af4b4ef0defd61bd0bb358f Mon Sep 17 00:00:00 2001
From: Thomas Loimer <thomas.loimer@tuwien.ac.at>
Date: Wed, 4 Dec 2019 17:56:04 +0100
Subject: [PATCH] Allow fig 2 text ending with multiple ^A, ticket #55

---
 fig2dev/read.c        |    4 ++--
 fig2dev/tests/read.at |   11 +++++++++++
 2 files changed, 13 insertions(+), 2 deletions(-)

--- fig2dev/read.c
+++ fig2dev/read.c	2019-12-05 08:48:27.630190316 +0000
@@ -3,7 +3,7 @@
  * Copyright (c) 1991 by Micah Beck
  * Parts Copyright (c) 1985-1988 by Supoj Sutanthavibul
  * Parts Copyright (c) 1989-2015 by Brian V. Smith
- * Parts Copyright (c) 2015-2018 by Thomas Loimer
+ * Parts Copyright (c) 2015-2019 by Thomas Loimer
  *
  * Any party obtaining a copy of these files is granted, free of charge, a
  * full and unrestricted irrevocable, world-wide, paid up, royalty-free,
@@ -1328,7 +1328,7 @@ read_textobject(FILE *fp)
 		If we do not find the CONTROL-A on this line then this must
 		be a multi-line text object and we will have to read more. */
 
-	    n = sscanf(buf,"%*d%d%d%lf%d%d%d%lf%d%lf%lf%d%d%[^\1]%[\1]",
+	    n = sscanf(buf,"%*d%d%d%lf%d%d%d%lf%d%lf%lf%d%d%[^\1]%1[\1]",
 		&t->type, &t->font, &t->size, &t->pen,
 		&t->color, &t->depth, &t->angle,
 		&t->flags, &t->height, &t->length,
--- fig2dev/tests/read.at
+++ fig2dev/tests/read.at	2019-12-05 08:48:27.634190239 +0000
@@ -359,6 +359,17 @@ EOF
 ], 0, ignore)
 AT_CLEANUP
 
+AT_SETUP([allow text ending with multiple ^A, ticket #55])
+AT_KEYWORDS([read.c])
+AT_CHECK([fig2dev -L box <<EOF
+#FIG 2
+1200 2
+4 2 0 0 1 0 0 390 306 110 376 639 5 Text


+EOF
+], 1, ignore, [Invalid text object at line 2.
+])
+AT_CLEANUP
+
 AT_BANNER([Dynamically allocate picture file name.])
 
 AT_SETUP([prepend fig file path to picture file name])