From 9a3bb985fd61674e6018830d9d6534dc47399e75784cdbebe86eae11a1dd64cd Mon Sep 17 00:00:00 2001
From: "Dr. Werner Fink" <werner@suse.com>
Date: Fri, 28 Sep 2012 14:13:53 +0000
Subject: [PATCH] .

OBS-URL: https://build.opensuse.org/package/show/graphics/xfig?expand=0&rev=27
---
 xfig.3.2.5b-bnc777469.diff | 51 ++++++++++++++++++++++++++++++++++++++
 xfig.changes               |  5 ++++
 xfig.spec                  |  2 ++
 3 files changed, 58 insertions(+)
 create mode 100644 xfig.3.2.5b-bnc777469.diff

diff --git a/xfig.3.2.5b-bnc777469.diff b/xfig.3.2.5b-bnc777469.diff
new file mode 100644
index 0000000..8dc4da0
--- /dev/null
+++ b/xfig.3.2.5b-bnc777469.diff
@@ -0,0 +1,51 @@
+--- xfig.3.2.5b/f_readold.c
++++ xfig.3.2.5b/f_readold.c	2009-12-04 10:20:36.000000000 +0000
+@@ -471,7 +471,7 @@ read_1_3_textobject(FILE *fp)
+     F_text	   *t;
+     int		    n;
+     int		    dum;
+-    char	    buf[128];
++    char	    buf[512];
+     PR_SIZE	    tx_dim;
+ 
+     if ((t = create_text()) == NULL)
+@@ -485,22 +485,34 @@ read_1_3_textobject(FILE *fp)
+     t->pen_style = -1;
+     t->angle = 0.0;
+     t->next = NULL;
++    if (!fgets(buf, sizeof(buf), fp)) {
++	file_msg("Incomplete text data");
++	free((char *) t);
++	return (NULL);
++    }
++
++    /* Note using strlen(buf) here will waste a few bytes, as the
++       various text attributes are counted into this length too. */
++    if ((t->cstring = new_string(strlen(buf))) == NULL)
++        return (NULL);
++
+     /* ascent and length will be recalculated later */
+-    n = fscanf(fp, " %d %d %d %d %d %d %d %[^\n]",
++    n = sscanf(buf, " %d %d %d %d %d %d %d %[^\n]",
+ 		&t->font, &dum, &dum, &t->ascent, &t->length,
+-		&t->base_x, &t->base_y, buf);
++		&t->base_x, &t->base_y, t->cstring);
+     if (n != 8) {
+ 	file_msg("Incomplete text data");
++	free(t->cstring);
+ 	free((char *) t);
+ 	return (NULL);
+     }
+-    if ((t->cstring = new_string(strlen(buf))) == NULL) {
++
++    if (!strlen(t->cstring)) {
++	free(t->cstring);
+ 	free((char *) t);
+ 	file_msg("Empty text string at line %d.", line_no);
+ 	return (NULL);
+     }
+-    /* put string in structure */
+-    strcpy(t->cstring, buf);
+ 
+     /* get the font struct */
+     t->zoom = zoomscale;
diff --git a/xfig.changes b/xfig.changes
index 43b9804..00cfdf8 100644
--- a/xfig.changes
+++ b/xfig.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Fri Sep 28 14:13:06 UTC 2012 - werner@suse.de
+
+- Fix bnc #777469 - CVE-2009-4227: xfig: stack based overflows
+
 -------------------------------------------------------------------
 Thu May 31 07:33:50 UTC 2012 - cfarrell@suse.com
 
diff --git a/xfig.spec b/xfig.spec
index f343888..174794c 100644
--- a/xfig.spec
+++ b/xfig.spec
@@ -63,6 +63,7 @@ Patch8:         xfig.3.2.5b-pspdftex.dif
 Patch9:         xfig.3.2.5b-libpng14.dif
 Patch10:        xfig.3.2.5b-preview.dif
 Patch11:        xfig.3.2.5b-bnc657393.dif
+Patch12:        xfig.3.2.5b-bnc777469.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %{expand: %%global _exec_prefix %(type -p pkg-config &>/dev/null && pkg-config --variable prefix x11 || echo /usr/X11R6)}
 %if "%_exec_prefix" == "/usr/X11R6"
@@ -111,6 +112,7 @@ find -type f | xargs -r chmod a-x,go-w
 %patch9  -p0 -b .libpng14
 %patch10 -p0 -b .preview
 %patch11 -p0 -b .vsprintf
+%patch12 -p1 -b .ovflow
 cp %{S:1} .
 test ! -e Libraries/Examples/aircraft.fig || { echo forbidden file found 1>&2; exit 1; }