Fixed null pointer dereference in function agroot()

Resolves: CVE-2019-11023

graphviz-2.40.1-CVE-2019-11023.patch

@@ -0,0 +1,65 @@
+--- a/cmd/tools/graphml2gv.c
++++ b/cmd/tools/graphml2gv.c
+@@ -477,8 +468,10 @@
+ 	if (pos > 0) {
+ 	    const char *attrname;
+ 	    attrname = atts[pos];
+-
+-	    bind_node(attrname);
++            if (G == 0)
++                fprintf(stderr,"node %s outside graph, ignored\n",attrname);
++	    else
++                bind_node(attrname);
+ 
+ 	    pushString(&ud->elements, attrname);
+ 	}
+@@ -504,21 +497,25 @@
+ 	if (tname)
+ 	    head = tname;
+ 
+-	bind_edge(tail, head);
+-
+-	t = AGTAIL(E);
+-	tname = agnameof(t);
+-
+-	if (strcmp(tname, tail) == 0) {
+-	    ud->edgeinverted = FALSE;
+-	} else if (strcmp(tname, head) == 0) {
+-	    ud->edgeinverted = TRUE;
+-	}
+-
+-	pos = get_xml_attr("id", atts);
+-	if (pos > 0) {
+-	    setEdgeAttr(E, GRAPHML_ID, (char *) atts[pos], ud);
+-	}
++        if (G == 0)
++            fprintf(stderr,"edge source %s target %s outside graph, ignored\n",(char*)tail,(char*)head);
++        else {
++            bind_edge(tail, head);
++
++            t = AGTAIL(E);
++	    tname = agnameof(t);
++
++	    if (strcmp(tname, tail) == 0) {
++	        ud->edgeinverted = FALSE;
++	    } else if (strcmp(tname, head) == 0) {
++	        ud->edgeinverted = TRUE;
++	    }
++
++	    pos = get_xml_attr("id", atts);
++	    if (pos > 0) {
++	        setEdgeAttr(E, GRAPHML_ID, (char *) atts[pos], ud);
++	    }
++        }
+     } else {
+ 	/* must be some extension */
+ 	fprintf(stderr,
+@@ -545,7 +536,7 @@
+ 	char *ele_name = topString(ud->elements);
+ 	if (ud->closedElementType == TAG_GRAPH) {
+ 	    Agnode_t *node = agnode(root, ele_name, 0);
+-	    agdelete(root, node);
++	    if (node) agdelete(root, node);
+ 	}
+ 	popString(&ud->elements);
+ 	Current_class = TAG_GRAPH;

graphviz.spec

@@ -61,7 +61,7 @@
 Name:			graphviz
 Summary:		Graph Visualization Tools
 Version:		2.40.1
-Release:		44%{?dist}
+Release:		45%{?dist}
 License:		EPL-1.0
 URL:			http://www.graphviz.org/
 # A bit hacking needed due to: https://gitlab.com/graphviz/graphviz/issues/1371
@@ -73,6 +73,7 @@ Patch2:			graphviz-2.40.1-CVE-2018-10196.patch
 # rhbz#1505230
 Patch3:			graphviz-2.40.1-dotty-menu-fix.patch
 Patch4:			graphviz-2.40.1-coverity-scan-fixes.patch
+Patch5:			graphviz-2.40.1-CVE-2019-11023.patch
 BuildRequires:		zlib-devel, libpng-devel, libjpeg-devel, expat-devel, freetype-devel >= 2
 BuildRequires:		ksh, bison, m4, flex, tk-devel, tcl-devel >= 8.3, swig, sed
 BuildRequires:		fontconfig-devel, libtool-ltdl-devel, ruby-devel, ruby, guile-devel
@@ -289,6 +290,7 @@ Various tcl packages (extensions) for the graphviz tools.
 %patch2 -p1 -b .CVE-2018-10196
 %patch3 -p1 -b .dotty-menu-fix
 %patch4 -p1 -b .coverity-scan-fixes
+%patch5 -p1 -b .CVE-2019-11023
 
 # Attempt to fix rpmlint warnings about executable sources
 find -type f -regex '.*\.\(c\|h\)$' -exec chmod a-x {} ';'
@@ -607,6 +609,10 @@ php --no-php-ini \
 %{_mandir}/man3/*.3tcl*
 
 %changelog
+* Wed Apr 24 2019 Jaroslav Škarvada <jskarvad@redhat.com> - 2.40.1-45
+- Fixed null pointer dereference in function agroot()
+  Resolves: CVE-2019-11023
+
 * Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 2.40.1-44
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild